htaccess files

You can't live with them, you can't live without them.
Whether you want it or not, creating a good web based application these days involves editing and creating these little buggers.
And they are ugly little brutes. If you want to really offend someone tell him: "You look like a .htaccess file!" That should do the trick.

But all in all, you have to tame them in order to get some results and this is where this thread steps in.
I'll try to do my best in explaining possibilities of these files and things you can do with them in a friendly way.

Now, I've seen hundreds of .htaccess tutorials on the net and some are OK, some look like they were written for people with 3 brains and 7 microprocessors in the head. But most of them fail describing what a .htaccess file is. Sometimes even I'm not sure what they are but I'll try to explain.

First of all, they only work with Apache server! So it doesn't matter if your web server is running Linux, Mac OS or Windows, it needs to run on Apache.
Now when we have that cleared up, what do they do?
Imagine the Apache server as the USA (United States of America in case you think it's an IT acronym). And like the USA, Apache has its rules. USA has laws, the constitution and whatnot. Apache has a configuration file (usually httpd.conf or apache2.conf but it can be called different on your server). USA has amendments, and Apache has modules. These are the extensions and changes to the original set of rules.
Finally, each state in the USA has it's own state laws. Each folder has it's own "laws" and they can be found in the .htaccess file.
Laws are complicated to read, so is the htaccess file. But if lawyers can read laws, then webmasters should be able to read htaccess files.

OK, enough with the metaphor. A few more important things are:
If Apache can't find the .htaccess file in the folder it uses global rules set in the main configuration (which you usually don't have access to unless it's your own server). And if you apply an .htaccess file to the folder /yourserver/www/script/ the .htaccess file will work for all the sub folders in the script/ folder.
But sometimes you want some other subfolders to have a different set of rules. That's fairly easy. Just create a new .htaccess file in the subfolder of your choice and it'll overrule the .htaccess file in the parent folder.
In the next post I'll give you an overview of things that can be done with one of these files, and then we'll go on to writing our own rules.

One more thing I forgot to add: you should set the permissions to your .htaccess files (chmod) to 644 so the server can read them but not anyone else.
Exposing your .htaccess file imposes a serious security risk so be warned!

OK, here's a list of things you can do with them:
1. Password protect your folders
2. Rewrite your URLs (the infamous mod_rewrite) -- I'm not going to write about this since I have already written a post about this here.
3. Change the default error documents
4. Block and allow users by IP addresses
5. Block referrers
6. Block bots you don't like and/or offline browsers, site downloaders etc...
7. Prevent listing of directories
8. Add MIME types
9. Redirect pages
10. Stop people hotlinking your files
11. Enable SSI
12. Change your default pages

1. Password protecting your web folders

So, you've finally decided to write a love song for your girlfriend who works as a IT technician, so you thought putting it on your website might be romantic. But you don't want your friends see how you make a complete fool out of yourself.
Well, I have some good news and some bad news for you. The good news is, you can password protect your love song and send the access data to your girlfriend but the bad news is that you're still making a fool out yourself since it's not romantic at all.

You still want to do it? Wow, you're persistent. Well here's how to do it:
you have a site: www.yoursite.com
and you've decided to put the love song in:
www.yoursite.com/lovesong/
And you want it protected.
Create the subfolder lovesong in your public_html folder on the web server.
Create a .htaccess file with this content in the lovesong folder:

Code:

AuthUserFile /home/myaccount/safedirectory/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require user mydarling

The above code will produce a password protected directory which only your darling could access.
The first line specifies the direct path (not the URL) to the .htpasswd file which contains the username and the hashed password. If possible, put this file in a folder which can't be accessed over the Web (usually a folder called private/) -- a folder which is not contained in the public_html/ or www/ folder).
Now all you need to do is create the content for this file.
It should look like this:

Code:

username:hashedpassword

To hash the password you can use this tool.

Although there are lots of tools to do this on the net. This one is just an example.

The require user line specifies that only the user mydarling can access the content of the folder lovesong/.
If you have more than one girlfriends (you dirty dog! ), add their user data to the .htpasswd file and in your .htaccess file change the line:

Code:

require user mydarling

to

Code:

require user valid-user

This allows access to all authenticated users from the .htpasswd file.

Now upload your love song (or whatever you're trying to hide) to the lovesong/ sub folder and you're good to go (get the boot from the girlfriend).

[temi]

Excellent tutorials, keep going

3. Changing error documents

So what's this? Well you must have seen HTTP errors from time to time. You know: "Error 404 - Not found" and stuff like that.
Instead of the default white pages with black text you can have flashy pages that go well with your design.
There's no real reason for doing this except the fact that it makes your website look more professional.
The usual errors you'll be creating new pages for are:
400 - Bad Request
401 - Authorization Required
403 - Forbidden
404 - Not Found
500 - Internal Server Error

There are more but this isn't a place or time to list them all and creating error pages for some isn't recommended (200 in example would create an infinite loop since it's a success code).

So first create your own custom error pages and give them names.
Put them all in one folder on your server, I'll use error/ in this example.
Add this to your .htaccess file (or create a new one if you don't have one already):

Code:

ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 500 /error/500.html

You get the idea. Just be careful to get the names of your files right and you've done everything.

You can even specify HTML code in the htaccess file instead of linking to a file:

HTML Code:

ErrorDocument 404 "<body bgcolor=#FF0000><b>Not found!</b> But if you wait long enough someone might start looking for it. <img src="/smiley.gif" /></body>"

OK, you've now got custom error documents! You're way cool now!

4. Blocking and/or allowing IPs

Remember that (ex-)girlfriend of yours you wrote that love song for? Well, she ditched your ass but that's not all. Now she started spamming your site's forum, guestbook, blog. She's all over the place and you just don't have the time to delete her comments.
But you know she has a static IP. You're in luck!
Add these lines to your .htaccess file:

Code:

deny from 123.123.123.12

If her IP is 123.123.123.12 she won't be able to access your site.
You can also deny all users (even you) but the server will still be able to access the files in the folder:

Code:

deny from all

You can allow only certain users:

Code:

allow from 123.123.123.12

That's not enough?
Well you can ban or allow IP ranges. Let's say you want to ban all the users from 123.123.123.1 to 123.123.123.255
Do this:

Code:

deny from 123.123.123.

And you're set.

You can even allow or ban certain domains.
Example:

Code:

allow from www.ukwebmasterworld.com

Which would allow access to the part of your site from www.ukwebmasterworld.com

Your site is now safe from the old hag!

5. Blocking referrers

Blocking links to your site which come from one domain has numerous reasons and I'm not going to list them here. You have your own reasons and I respect them.

This is actually an update to the mod_rewrite setting. So you can only do this if you have the mod_rewrite module on your server.

This is what you write in your .htaccess:

Code:

RewriteEngine on
Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} siteyouareblocking\.com [NC]
RewriteRule .* - [F]

That will block the siteyouareblocking.com
To block multiple sites do this:

Code:

RewriteEngine on
Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} siteyouareblocking\.com [NC,OR]
RewriteCond %{HTTP_REFERER} anothersite\.com
RewriteRule .* - [F]

The [NC] makes the domain case insensitive.
The [F] in the RewriteRule is to show the 403 Forbidden error to those who go to your site via the blocked site.

[Alam]

Thanks for nice tutorial

MyWeb.com

can i show this above link to like this www.myweb.com/url/2345

if yes then how :d

Quote:

Originally Posted by Alam

Thanks for nice tutorial

MyWeb.com

can i show this above link to like this www.myweb.com/url/2345

if yes then how :d

I've written about that as previously noted in this thread.
Take a look here:
http://forums.ukwebmasterworld.com/p...-tutorial.html

[Alam]

Thanks for your reply and want to know that I have visitied your indicated thread and happy for getting my result
You have done a good job for us :d