A .htaccess file is a file that works on Apache and other NCSA-compliant
webservers. The name is actually a bit of a misnomer due to the fact
that hyper-text access is only a small function of what it's
capabilities are.
The .htaccess file affects the directory it is located in and all
directories below it on the directory tree unless there is a .htaccess
file contained within a directory, in which case it will take priority
for that directory and all directories located below it in tree. Thus if
a .htaccess file is contained within the root directory it will affect
all directories on the webserver.
The basics are as follows. The .htaccess file is an ASCII (American
Standard Code for Information Interchange), these files are most easily
generated through notepad or anything that can type in simple text
format. One of the most common questions about .htaccess files are what
to name them, unfortunately they can have no name, and the extension
(although uncommon) really is 8 characters long.
Creating the file is somewhat tricky because programs like Windows
Operating System will not allow you to have a file wih no name and only
an extension. In order to get around this what you must do is name the
file whatever you would like and after it has been uploaded to the
server rename it to .htaccess. At this point however the file will
become invisible to browsers and ftp clients (although it can still be
navigated to and the contents of it viewed), this is due to the fact
that any file with a period at the beginning of it's name is considered
a hidden file.
When uploading the .htaccess file it is very important to make sure that
you upload it as ASCII and not as binary. Also when it has been uploaded
there are a few precautions you take to prevent it from being read by a
browser, one is to CHMOD it's permissions to 644 (or RW-R--R--). The
other's will be covered later on in more detail. Due to the nature of
the information stored in the .htaccess file it is usually of the utmost
importance to keep it secure.
When creating a .htaccess file for the first time there is one quick
note to keep in mind, this is that most commands are typically meant to
be placed on one line, so if you are using a text editor which has the
word wrap feature it may be in your best interest to turn it off as this
can input syntax that Apache does not understand and will cause your
scripts to fail. Also note that .htaccess files will not work on a NT or
Windows platform, there are various other methods of accomplishing the
tasks that .htaccess provides, but none that are bundled together in
such a nice little package.
.htaccess files are not globally accepted. Due to the fact that they can
be used for security that can become very serious security holes. Due to
this some webhosting companies have either limited the use of .htaccess
or removed it all together. Before you take the time to create a
.htaccess file or series of them you should always know what you can and
cannot do.
Custom Error Pages / Request Pages
There are various client requests and error pages that can happen when
someone is navigating a website. A brief list of them is as follows:
200 - Okay 201 - Created 202 - Accepted 203 - Non-Authorative
Information 204 - No Content 205 - Reset Content 206 - Partial
Content 400 - Bad Request 401 - Authorization Required 402 -
Payment Required 403 - Forbidden 404 - Not Found 405 - Method
Not Allowed 406 - Not Acceptable 407 - Proxy Authentication
Required 408 - Request Timed Out 409 - Conflicting Request 410
- Gone 411 - Content Length Required 412 - Precondition Failed 413
- Request Entity Too Long 414 - Request URI Too Long 415 -
Unsupported Media Type
On this list I have included some good and some bad things that custom
pages could be set up for in a .htaccess file. For instance if you set
up a customer page for the 200 request everytime someone successfully
typed in a URL or accessed your website and it was successfully bringing
up a page then it would refresh to the page you specified in the
.htaccess file, as soon as it was successfully brought up it would then
redirect back to the page specified in the .htaccess file, and so on
infinitely. This would be an example of a bad way to use this feature.
However, if you were to set it up for error 404 then when someone typed
in an incorrect url or a link to a page has become outdated then someone
could be redirected to a nice professional looking page which could also
be useful and provide links back to your mainpage or to a help section
within your website.
The coding used to within a .htaccess file to redirect upon the
completion of a request or error is as follows (and only goes on a
single line):
ErrorDocument code /directory/filename.ext
For instance this could look like;
ErrorDocument 404 /errors/404.html
This would redirect anyone who got a 404 error on my website to a folder
called errors and then to a file named 404.html.
You also have the ability to add html to the .htaccess file for these,
for instance you could add;
ErrorDocument 404 "<body bgcolor=#FFFFFF><h1> The page you are
requesting is not here, please use your back button to return. </h1>
Notice that there are quotation marks before the html code but not at
the end of it. This is as it should be for the Apache to read it
correctly. Also make sure that it is all on one line so turn off your
wordwrap when inputting it.
Password Protecting Folders
In order to password protect any directory you will require two files,
.htaccess file and a .htpasswd file. The naming convention is identical
to the .htaccess file.
Within the .htpasswd you will need to put in the username and password
(although the password must be encrypted) you would like to use, for
instance, if we use the username of username and the password of
password it would look like this.
username:66yGQHg8KA7jw
In order to encrypt a password you can go to http://www.earthlink.net/cgi-bin/pwgenerator.pl
or do a search on google for password encryptor.
For security purposes it is recommended that you do not place your
.htpasswd file in a directory that is not web accessible, rather try and
place it above your root www directory. And also make sure that you
upload the .htpasswd file as ASCII instead of binary.
Now you must add the code to the .htaccess file which will be located
within the directory you would like to password protect:
AuthUserFile /home/users/web/b2278/ph.dprouse/.htpasswd AuthGroupFile
/dev/null AuthName EnterPassword AuthType Basic require user
username
The AuthUserFile line deals with the absolute location (not the web
location) of the .htpasswd file, there is no set standard for this so
always make sure you double check with your webhost provider. The
AuthName line is arbitrary, it can say whatever you would like to put in
there within reason (no spaces). The AuthType is basic because we are
using a HTTP login.
The final line is require user and then the customer's username, this is
setup as though each user has their own seperate directory they can have
access to, if you have multiple users that would like to access the same
directory you change the last line to read:
require valid-user
Enabling SSI Through .htaccess
Many webhosts do not allow SSI access, this is due to the fact that
there are many SSI hacks out there and it is a large vulnerbality. There
is a way to allow it, although you should always contact your host and
make sure that this is permitted as it can be a breach of your terms of
service.
The following lines must be added to your .htaccess file:
AddType text/x-server-parsed-html htm html
The AddType line adds a MIME type to the text category and the extension
is .shtml. This allows them to be seen on the server, even though most
hosts do allow this it is always better to add it to the code to make
sure. The AddHandler line makes sure that all .shtml files are
server-parsed for server side commands.
If you do not feel like renaming all of your .html files to .shtml you
can add this line between the first and second lines above:
AddHandler server-parsed .html
This line is not overly recommended as it will cause the server to parse
every file with the .html file extension. This adds extra load time to
every page you have as well as extra server strain, if you are worried
about load time it is always better to only use the .shtml files.
If you are planning on using the .shtml extension and would like to use
SSI on your index page you must add another line of code into your
.htaccess file:
DirectoryIndex index.shtml index.html
This line of code will allow your index file to be index.shtml and if it
does not find one it will automatically check for a index.html.
Blocking Users By IP Address
If you were to need to block someone or a group of people from accessing
your website it would be as simple as adding the following lines of code
to your .htaccess file;
order allow,deny deny from xxx.xxx.xxx.xxx deny from xxx.xxx.xxx
allow from all
The first line sets the order of steps, the first step is to allow, then
to deny. The second line is the first line of denials, there can be as
many as you require. This line will prevent anyone from IP address
xxx.xxx.xxx.xxx from entering this directory (or website). The third
line will block everyone from an IP range, anyone at xxx.xxx.xxx.???
will be blocked, such as xxx.xxx.xxx.1, xxx.xxx.xxx.2 ...
xxx.xxx.xxx.255. The last line will allow everyone else to enter,
however, if you chose to prevent everyone you could set this line to
read:
deny from all
You may also allow or deny by domain name, such as:
deny from .purehost.com
This will prevent all users from this domain to be blocked, it also
includes all sub-domains (such as username.purehost.com).
Changing Your Default Directory
If you have a problem setting your homepage to index.html you may want
to look into using this piece of code in you .htaccess file:
DirectoryIndex filename.ext
What this will make happen is when someone accesses your website they
will be directed to the filename listed instead of the typical
index.html file. You can also setup priorities on this too, if you were
to list multiple files it would check for the first one and if unable to
find it, it would then move on to the second one and so forth.
For example:
DirectoryIndex danny.html index.pl home.php index.html
This would first check for the daniscool.html file and if unable to find
it check for the index.pl file and if unable to locate it check for the
home.php file and if unable to find it check for the index.html file.
Once it has exhausted all of these then it would display a 404 error
(hopefully you have already set up a custom one using your .htaccess
file).
.htaccess Redirects
Although redirects can be coded through many different means, such as
http-equiv, javascript, or any type of dynamic scripting it is typically
more efficient to do it through a .htaccess file. The reason being that
the coding for all your redirects can be done through a single file
instead of having to add code to multiple files. This can save time,
which ultimately can mean the difference between someone coming to your
site and finding broken links or not seeing updated information.
.htaccess uses redirect to look for any request for a specific page (or
a non-specific location, though this can cause infinite loops) and if it
finds that request, it forwards it to a new page you have specified:
Redirect /folder1/file1.html http://site.com/folder2/file2.html
Notice there are three separate yet required parts to this line of code.
The first part is the Redirect command, this informs the browser that
when a specific file or folder is accessed the browser is going to be
redirected to a new location. The second part is the address of the file
or folder you want to redirect from relative to your root directory. The
third and final step is to indicate the file or folder that you want to
redirect to, this should be indicated by the complete path to it.
As with most .htaccess commands all three sections of this are seperated
by a single space but located on one line. This command will often be
used if there are massive changes to a website, for instance you have
created an entire new site, which is located in a separate folder. You
would use the redirect command and specify the old folder and then
specify the new folder.
Hiding Your .htaccess
Because your .htaccess file can often contain information that is very
pertinent to your website or information that can be potentially a
security risk it is always better to limit access to it as much as
possible. If you have set incorrect permissions or if your server is not
as secure as it could be, a browser has the potential to view an
htaccess file through a standard web interface and thus compromise your
site/server. This, of course, would be a bad thing. However, it is
possible to prevent an htaccess file from being viewed in this manner:
<Files .htaccess> order allow,deny deny from all </Files>
The first line specifies that the file named .htaccess is having this
rule applied to it. You could use this for other purposes as well if you
get creative enough. If you use this in your htaccess file, a person
trying to see that file would get returned (under most server
configurations) a 403 error code. You can also set permissions for your
htaccess file via CHMOD, which would also prevent this from happening,
as an added measure of security: 644 or RW-R--R--.
Adding MIME Types
IF you are using a file extension that is not set on the servers, which
can be a common occurrence with MP3 or even SWF files, you can specify
what type of file it is by adding this line of code to your .htaccess
file:
AddType application/x-shockwave-flash swf
AddType is specifying that you are adding a MIME type. The application
string is the actual parameter of the MIME you are adding, and the final
little bit is the default extension for the MIME type you just added, in
our example this is swf for ShockWave File.
If you need to find the application string of the file you are adding
most of them are located at filext.com. Also, if you want to have a file
who's extension is specified on the server to open with something and
you would rather have that downloaded (for instance .xml) you can
specify the application string as:
application/octet-stream
|