<ifModule>
 clever stuff here
</ifModule>

 

This work in progress is some collected wisdom, stuff I've learned on the topic of .htaccess hacking, commands I've used successfully in the past, on a variety of server setups, and in most cases still do. You may have to tweak the examples some to get the desired result, though, and a reliable test server is a powerful ally, preferably one with a very similar setup to your "live" server. okay, to begin..

.htaccess files are invisible

There's a good reason why you won't see .htaccess files on the web; almost every web server in the world is configured to ignore them, by default. Same goes for most operating systems. Mainly it's the dot "." at the start, you see?


If you don't  see, you'll need to disable your operating system's invisible file functions, or use a text editor that allows you to open hidden files, something like bbedit on the Mac platform. On windows, showing invisibles in explorer should allow any text editor to open them, and most decent editors to save them too (even notepad can save them if you use double-quotes around the name.. ".htaccess"). Linux dudes know how to find them without any help from me.



In both images, the operating system has been instructed to display invisible files. ugly, but necessary sometimes. (I deleted the "darkstat.php" file just after snapping the mac screenshot, moved that redirection to my 404 script, is why it's in the mac version, and not the peecee one!)

 

Simply put, they are invisible plain text files where one can store server directives. Server directives are anything you might put in an Apache config file (httpd.conf) or even a php ini file (php.ini, that is, unless you are running under phpsuexec, in which case you would use an actual  php.ini for those), but unlike those "master" directive files, these .htaccess directives apply only to the folder in which the .htaccess file resides, and all the folders inside.

This ability to plant .htaccess files in any directory of our site allows us to set up a finely-grained tree of server directives, each subfolder inheriting properties from its parent, whilst at the same time adding to, or over-riding certain directives with its own .htaccess file. For instance, you could use .htacces to enable indexes all over your site, and then deny indexing in only certain subdirectories, or deny index listings site-wide, and allow indexing in certain subdirectories. One line in the .htaccess file in your root and your whole site is altered. From here on, I'll probably refer to the main .htaccess in the root of your website as "the master .htaccess file", or "main" .htaccess file.

There's a small performance penalty for all this .htaccess file checking, but not noticable, and you'll find most of the time it's just on and there's nothing you can do about it anyway, so let's make the most of it..

 

Almost any directive that you can put inside an httpd.conf file will also function perfectly inside an .htacccess file. Unsurprisingly, the most common use of .htaccess is to..

.htaccess is most often used to restrict or deny access to individual files and folders. A typical example would be an "includes" folder. Your site's pages can call these included scripts all they like, but you don't want users accessing these files directly. In that case you would drop an .htaccess file in the includes folder with content something like this..

NO ENTRY!

# no one gets in here!
deny from all

which would deny ALL direct access to ANY files in that folder. You can be more specific with your conditions, for instance limiting access to a particular IP range, here's a handy top-level rule for a local test server..

NO ENTRY outside of the LAN!

# no nasty crackers in here!
order deny,allow
deny from all
allow from 192.168.0.0/24
# this would do the same thing..
#allow from 192.168.0

Generally these sorts of requests would bounce off your firewall anyway, but on a live server (like my dev mirror is) they become useful for filtering out undesirable IP blocks, known risks, lots of things. Whatever, the user gets a 403 "access denied" error page in their client software (browser, usually), which does little more than get the message across. This is probably fine for most situations, but in part two I'll demonstrate some cooler ways to deny access.

 

The next most obvious use for our .htaccess files is to allow access to only specific users, or user groups, in other words; password protected folders. a simple authorisation mechanism might look something like this..

a simple sample .htaccess file for password protection:

AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/var/www/html/.htpasses
require valid-user

You can use this same mechanism to limit only certain kinds of requests, too..

only valid users can POST in here, anyone can GET, PUT, etc:

AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/var/www/html/.htpasses
<Limit POST>
 require valid-user
</Limit>

You can find loads of online examples of how to setup authorisation using .htaccess, so long as you have a real user with a real password in a real password file..

htpasswd -c /usr/local/var/www/html/.htpasses jimmy

..the above will work just fine. (htpasswd is a tool that comes with apache, specifically for making and updating password files. Naming the password file ".htpasses" is a habit from when I had to keep that file inside the web site itself, and as web servers are configured to ignore files starting ".ht" they too, remain hidden. If you keep your password file outside the web root (a much better idea), then you can call it whatever you like.) Okay, that's that out of the way.

Those examples assume that your web server supports "Basic" http authorisation, as far as I know they all do (it's in the Apache core). The only trouble is, some browsers aren't sending password this way any more, personally I'm looking to php to cover my authorisation needs. Basic auth works okay though, even if it isn't actually very secure (your password travels in plain text over the wire, not clever).

 

If you add something that the server doesn't understand or support, you will get a 500 error page, aka.. "the server did a boo-boo". Even directives that work perfectly on your test server at home may fail dramatically at your real site. In fact this is a great way to find out if .htaccess files are enabled on your site; create one, put some gibberish in it, and load a page in that folder, wait for the 500 error. if there isn't one, probably they are not enabled.

If they are, we need a way to safely do live-testing without bringing the whole site to a 500 standstill.

Fortunately, in much the same way as we used the <Limit> tag above, we can create conditional directives, things which will only come into effect if certain conditions are true. The most useful of these is the "ifModule" condition, which goes something like this..

only if PHP is loaded, this will this directive have any effect

<ifModule mod_php4.c>
 php_value default_charset utf-8
</ifModule>

..which placed in your master .htaccess file, that would set the default character encoding of your entire site to utf-8 (a good idea!), at least, anything output by PHP. If the PHP4 module isn't running on the server, the above .htaccess directive will do exactly nothing; apache just ignores it. As well as proofing us against knocking the server into 500 mode, this also makes our .htaccess directives that wee bit more portable. Of course, if your syntax is messed-up, no amount of if-module-ing is going to prevent a error of some kind, all the more reason to practice this stuff on a local test server.

 

So far we've only scratched the surface. aside from authorisation, the humble .htaccess file can be put to all kinds of uses. If you've ever had a look in my public archives you will have noticed that that the directories are fully browsable, just like in the old days before adult web hosts realized how to turn that feature off! a line like this..

bring back the directories!

Options +Indexes +MultiViews +FollowSymlinks

will almost certainly turn it back on again. And if you have mod_autoindex.c installed on your server (probably, yes), you can get nice fancy indexing, too..

show me those files!

<IfModule mod_autoindex.c>
 IndexOptions FancyIndexing
</ifModule>

..which, as well as being neater, allows users to click the titles and, for instance, order the listing by date, or filesize, or whatever. It's all for free too, built-in to the server, we're just switching it on. You can control certain parameters too..

let's go all the way!

<IfModule mod_autoindex.c>
 IndexOptions FancyIndexing Icon Icon
</ifModule>

Other parameters you could add include..

Name
Description
IconsAreLinks SuppressHTMLPreamble (handy!)

I've chucked a copy of my own fancy indexing .htaccess file onsite for you to have some fun with. Just add readme.html and away you go! note: these days I use a single header files for all  the indexes, and only drop in local "readme" files. Check out the example, and my public archives for more details.

It really is worth scouting around the Apache documentation, often you will find controls for things you imagined were uncontrolable, thereby creating new possibilities, better options for your website. My experience of the magic "LAMP" (Linux-Apache-MySQL-PHP) has been.. "If you can imagine that it can be done, it can be done". Swap "Linux" for any decent operating system, especially Mac OS X.

Okay, so now we have nice fancy directories, and some of them password protected, if you don't watch out, you're site will get popular, and that means bandwidth..

 

If you pay for your bandwidth, this wee line could save you hard cash..

save me hard cash! and help the internet!

<ifModule mod_php4.c>
 php_value zlib.output_compression 16386
</ifModule>

All it does is enables PHP's built-in transparent zlib compression. This will half your bandwidth usage in one stroke, more than that, in fact. Of course it only works with data being output by the PHP module, but if you design your pages with this in mind, you can use php echo statements, or better yet, php "includes" for your plain html output and just compress everything! Remember, if you run phpsuexec, you'll need to put php directives in a local php.ini file, not .htaccess. See here for more details.

 

remember how I mentioned that any file beginning with .ht is invisible? .."almost every web server in the world is configured to ignore them, by default" and that is, of course, because .ht_anything files generally have server directives and passwords and stuff in them, "most servers" will have something like this..

Standard setting..

<Files ~ "^\.ht">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

which instructs the server to deny access to any file beginning with .ht, effectively protecting our .htaccess and other files. This version..

ignore what you want

<Files ~ "^.*\.([Ll][Oo][Gg])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

tells the server to deny access to *.log files. You can insert multiple file types into each rule, separating them with a pipe "|", and you can insert multiple blocks into your .htaccess file, too. I find it convenient to put all the files starting with a dot into one, and the files with denied extensions into another, something like this..

the whole lot

# deny all .htaccess, .DS_Store $hî†é and ._* (resource fork) files
<Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss]|[_])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

# deny access to all .log and .comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

would cover all ._* resource fork files, .DS_Store files (which the Mac .">Finder creates all over the place) *.log files, *.comment files and of course, our .ht* files. You can add whatever filetypes you need to protect from direct access. I think it's clear now why the file is called ".htaccess".

 

These days, using <FilesMatch> is preferred over <Files>, mainly because you can use regular expression in the conditions. Very handy. Here's an example (used for my php-generated style sheets)..

parse file.css and file.style with the php machine..

# handler for phpsuexec..
<FilesMatch "\.(css|style)$">
 SetHandler application/x-httpd-php
</FilesMatch>

Any files matching the regular expresssion statement, that is anything.css or anything.style will now be handled by php, rather than simply served up by Apache. Any <Files> statements you come across can be advantageously replaced by <FilesMatch> statements. Good to know.

 

That should get you started with .htaccess, quite easy when you know how. If you really want to bend your brain out of shape, follow the link below for part two of the series, where I delve into the arcane mysteries of URL rewriting.

 

 

 go to part two..  

Before you ask a question..

PLEASE ensure you have at least read the article above. If you want to ask questions about rewriting (mod_rewrite) please do so on THAT page!

previous comments (six pages)   show all comments