Home » Htaccess
[hide]
The Apache HTTP Server is the #1 web server in the world, and is the main software .htaccess files are used with. .htaccess (Hypertext Access) is the default name of Apache's directory-level configuration file. It provides the ability to customize configuration directives defined in the main configuration file. The configuration directives need to be in .htaccess context and the user needs appropriate permissions. ".htaccess iis" for windows, ".htaccess windows" and also look at sample .htaccess files to really get good at creating htaccess files.
I discovered these tips and tricks mostly while working as a network security penetration specialist hired to find security holes in web hosting environments. That is when I started examining htaccess files in great detail and learned about the incredible untapped power of htaccess. The only avenue on shared-hosting was and is the .htaccess file, and holy freaking fiber-optics.. it's almost as powerful as httpd.conf itself
Want to redirect all links with any uppercase characters to lowercase using pure mod_rewrite within an .htaccess file? Sure why not! OR how to use RewriteMap and mod_speling for those with access to httpd.conf
So here's the basic idea: There are 2 sites, a development site and a live site. They are essentially mirrors of each other in terms of they have the same files. You need to disallow all search engine robots from indexing and crawling the development site, while allowing full crawling of your live site. Htaccess to the rescue!
Use mod_rewrite to enable phpMyAdmin links in the form: /dbname/table/
Request to http://www.askapache.com/cg/rewrite-test/?catch=caught&this=that
RewriteCond %{THE_REQUEST} = GET /cgi-bin/php/pro/rewrite-test/?catch=caught&this=that HTTP/1.1
RewriteCond %{REQUEST_URI} = /cg/rewrite-test/?catch=caught&this=that
RewriteCond %{QUERY_STRING} = catch=caught&this=that
RewriteCond %{HTTP_HOST} = www.askapache.com
RewriteCond %{HTTP_USER_AGENT} = Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
RewriteCond %{REMOTE_ADDR} = 8.8.8.8
We've figured out what mod_rewrite variables look like, a cheatsheet of the actual value.
Quick and easy method to get a list of all Apache Modules currently loaded, a list of all the directives each module provides, a list of currently used directives, etc... These directives can be used in httpd.conf and/or .htaccess files so it is definately useful to know which ones are available and which ones are currently being used.
These are a few of the mod_rewrite uses that BlogSecurity declared pushed the boundaries of Mod_Rewrite! Some of these snippets are quite exotic and unlike anything you may have seen before, also only for those who understand them as they can kill a website pretty quick.
WordPress uses a file named .htaccess to rewrite all requests to the main index.php file. This article explains what the htaccess file rules look like and what they actually do.
FYI, using the Mod_Rewrite Variables Cheatsheet makes this example, and all advanced .htaccess code easier to understand. This demo lets you set a cookie with 1 of 3 values, then you just request the pdf file with a normal link click and get 1 of 3 different responses. This is accomplished with a nice bit of .htaccess code.
Set PDF Viewing Mode - Make a selection, then click the view pdf button.
Inline Download Save As View PDF using selected mode »
htaccess rewrite / Mod_Rewrite Tips and Tricks is as glamorous as it sounds! htaccess rewrite mod_rewrite is just possibly one of the most useful Apache modules and features. The ability to rewrite requests internally as well as externally is extremely powerful.
There are a total of 57 HTTP Status Codes recognized by the Apache Web Server. Wouldn't you like to see what all those headers and their output, ErrorDocuments look like?
Here is even more information from the Ultimate Htaccess Part I. For now this is very rough and you will want to come back later to read it.
If you have a php.cgi or php.ini file in your /cgi-bin/ directory or other pub directory, try requesting them from your web browser. If your php.ini shows up or worse you are able to execute your php cgi, you'll need to secure it ASAP. This shows several ways to secure these files, and other interpreters like perl, fastCGI, bash, csh, etc.
#### No https except to wp-admin -
# If the request is empty ( implies fopen or normal file access by a php script )
RewriteCond %{THE_REQUEST} ^$ [OR]
# OR if the request if for wp-admin or wp-login.php
RewriteCond %{REQUEST_URI} ^/(wp-admin|wp-login.php).*$ [NC,OR]
# OR if the Referer is https
RewriteCond %{HTTP_REFERER} ^https://www.askapache.com/.*$ [NC]
# THEN skip the following rule, basically all this does is force https or badhost to be redirected
# BUT because of the above 3 rewritecond's, this won't break poorly written admin scripts
RewriteRule .* - [S=1]
RewriteCond %{HTTPS} =on [OR]
RewriteCond %{HTTP_HOST} !^www.askapache.com$ [NC]
RewriteRule .* http://www.askapache.com%{REQUEST_URI} [R=301,L]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} /(wp-admin/.*|wp-login.php.*) HTTP/ [NC]
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
If you have files on your site that you don't want indexed by malicious search engines, grabbed and leeched by malicious spammers, or stolen and made available elsewhere, you can use mod_rewrite to drastically reduce or totally reduce that activity.
Web Developers sometimes use file.ext?v=004 as a version control system to force visitors to use updated files. This is terrible. Instead link to apache-003.css and set it to be cached forever. When you change the file you just change the links to apache-004.css. That eliminates millions of bandwidth and resource robbing If-Modified-Since requests. You only need Apache with mod_rewrite, and 1-10 minutes!
Note: Extremely ILL Content
Find the key to unlocking mod_rewrite and you WILL be sick.. sick with a diamond disease on your wrist!
3-Part article covering practical implementation of 3 advanced .htaccess features. Discover an easy way to boost your SEO the AskApache way (focus on visitors), a tip you might keep and use for life. Get some cool security tricks to use against spammers, crackers, and other nefarious sorts. Take your site's error handling to the next level, enhanced ErrorDocuments that go beyond 404's.
This is all new, experimental, and very very cool. It literally uses .htaccess techniques to create several virtual "locked gates" that require a specific key to unlock, in a specific order that cannot be bypassed. It uses whitelisting .htaccess tricks to specify exactly what is allowed, instead of trying to specify everything that isn't allowed. Also, by setting specific cookies/tokens after successfully passing through a gate, we can then require the exact cookie/token from the previous gate, which stops an attacker from skipping or bypassing gates.
SetEnv, SetEnvIf, and SetEnvIfNoCase directives conditionally set environment variables accessible by scripts and apache based on HTTP Headers, Variables, and Request information.
This past week I updated my sites apache.css file for a site-redesign. I wanted to make changes to the .css file that only I could see, so that my regular traffic and site-visitors would still see the old version. Here's the elegant solution I came up with using .htaccess and mod_rewrite that works so well I'm sharing it with all you wonderful and incredible people reading my blog :)
This is freaking sweet if you use SSL I promise you! Basically instead of having to check for HTTPS using a RewriteCond %{HTTPS} =on for every redirect that can be either HTTP or HTTPS, I set an environment variable once with the value "http" or "https" if HTTP or HTTPS is being used for that request, and use that env variable in the RewriteRule.
Mod_Security rivals Mod_Rewrite in the amount of features it provides. I decided to go ahead and post what I learned about it today, even though its tough to give away such awesome htaccess and apache tricks.. Learn how to control spam once and for all, conditionally log/deny/allow/redirect requests based on IP, username, etc.. Mod_Security is so fine!
Want to block a bad robot or web scraper using .htaccess files? Here are 2 methods that illustrate blocking 436 various user-agents.
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "google.com"
ErrorDocument 403 https://google.com
Some of the Ins and Outs of using SSL Connections with Apache.
Fresh .htaccess code for you! Check out the Cookie Manipulation and environment variable usage with mod_rewrite! I also included a couple Mod_Security .htaccess examples. Enjoy!
Using Cache-Control headers you can specify which types of proxies can cache certain content, and how long files should be cached.
A hit-list of some of my favorite mod_rewrite code snippets for .htaccess files
Learn how to log and debug usernames and passwords used to login to a htaccess basic authorization protected website using php. This article is BOSS and will show you how to fully take control of this aspect of security using php and .htaccess, I don't believe you will find instructions to do this anywhere else on the net.
If you have a Powweb Webhosting account, you will appreciate this simple skeleton .htaccess file for use on their systems.
FeedBurner is so RAD! I love it. Here's an alternative method to redirect scrapers and feed requests to your feedburner url, in my case, I use Branding by feedburner, which is so hot, taking advantage of CNAMEs in your DNS record.
Ultimate Redirect Cheatsheet for multiple programming languages. Redirecting Users with Javascript redirect, meta refresh redirect, and php redirect, also htaccess methods, python, coldfusion, asp, perl, etc.
.htaccess and php example serves .pdf files to give visitors the choice to open in an external program or save to disk without having to open it in the browser
PDF Before and after Fix - Firefox
To make your site even faster, serve certain content from different subdomains. The reason this works is amazingly cool!
If you remove the Last-Modified and ETag header, you will totally eliminate If-Modified-Since and If-None-Match requests and their 304 Not Modified Responses.
By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header.
A first-time visitor to your page will make several HTTP requests to download all your sites files, but using the Expires header you make those files cacheable. This avoids unnecessary HTTP requests on subsequent page views.
Use the Apache module mod_deflate to compress your static .css and .js files, speeding your site up like crazy!
Apache Web Server users have problems getting Apache Authentication/password-protection in htaccess working, this is a troubleshooting guide to get Password Protection working!
WordPress blogs show the same duplicate content for http://www.askapache.com/index.php and http://www.askapache.com/. If you've read about using a robots.txt file for WordPress SEO, than you already understand this setup results in Duplicate Content penalties being levied against your Blog and Web Site by Search Engines.
Server and Environment Variables are used by The Apache HTTP Server by provides a mechanism for storing information. This information can be used to control various operations such as logging or access control.
Apache has the best SSL/HTTPS support and can be controlled by the httpd.conf file or other HTTPD server configuration file. This htaccess tutorial has htaccess example code to make it easy to secure and use HTTPS and SSL with Apache.
Apache Security tips and tricks for securing Apache Web Servers using htaccess, httpd.conf, and other built-in techniques to thwart attackers. This really should be required reading for any Apache admin or user because these little tricks are so easy to do.
How to password-protect, Allow or Deny a visitor based on a condition. If you are having trouble getting htaccess-based password protection to work see: Troubleshooting htaccess Authentication: Getting it to work
Web Professionals use mod_rewrite to issue 301 and 302 Redirects for Search Engines. Sometimes you may not have mod_rewrite.c or you want an alternative redirect method. Using mod_alias RedirectMatch you can use REGEX in Redirect commands!
Apache .htaccess and httpd.conf have the power to send and manipulate HTTP Header Requests like sending P3P privacy headers, Content-Type: UTF-8, Content-Language, etc. The power is immense and you can do some really cool stuff with HTTP Headers!
Some of my favorite htaccess examples from some of my favorite .htaccess tutorials. These cut-and-paste ready htaccess code snippets are very useful for website and server administrators.
Comprehensive .htaccess example file with advanced examples in 1 htaccess sample skeleton .htaccess file with the very best apache htaccess examples... Updated frequently based on detailed info from the Apache htaccess tutorial.
Some good examples for how to use the Files and FilesMatch directives in .htaccess files and httpd.conf files for Apache.
<filesMatch ".(htm|html|css|js|php)$"> AddDefaultCharset UTF-8 DefaultLanguage en-US </filesMatch>
301 Redirects using Apache mod_rewrite or RedirectMatch in .htaccess or httpd.conf
Replace underscores in URLs with hyphens using Apache .htaccess.
Time-dependant rewriting uses mod_rewrite and apache server time variables to display different files depending on the time, while the URL stays the same. An often requested implementation of this is to display a different home page or image depending on if its morning, noon, or night.
Securing Subdirectories using unique apache htaccess solutions.
Fighting Blog Spam with Apache htaccess and other methods.
If you want to redirect to a different version of a file based on the time, this code is for you! Please read: Serve Alternate Content based on Time
Learning about charset's and file types maybe pretty boring, but using .htaccess it can be fun! Here's a quicklist htaccess cheatsheet for adding the correct Charset to a web document.
Links to htaccess tutorials and howtos in the htaccess forum
mod_rewrite is very useful in many situations. Yet some behaviors were not so obvious when I started to mess with it. After many testings, I understand it much better, now. Having said that, I do not pretend to know it perfectly. I also make mistakes.
A lot of commonly used htaccess code snippets for use with the Apache Web Server.
Perhaps you want to keep status information between requests and use the URL to encode it. But you don't want to use a CGI wrapper for all pages just to strip out this information.
After I optimized the caching for my non-dynamic pages using apache modules mod_headers and mod_expires, I began to learn about phpbb seo..
Say you want to deny access to your entire site except when you access it. The following htaccess code does just that. Instead of a Static IP you could also use a hostname, or part of a hostname..
Today in 1965 DEC announces PDP-8
RT @askapache: Make sure you unplug your Ethernet when leaving the room, or disable wifi
Make sure you unplug your Ethernet when leaving the room, or disable wifi
My servers, and me, are getting annoyed. Fail2ban works fairly well against all the Chinese brute forcing going on
Can't the Chinese stop ordering their hackers to hack us? Ugh
All I want for my bday is a bottle of American whiskey :)
The first Dino fossil wasn't found until 1822, we sure are young
Htaccess - Ultimate HowTo: t.co/XMmRKFIWuG
Show Events that Occurred on this day in the Past: t.co/5u33s4OolA
Linux / UNIX: Create Large 1GB Binary Image File With dd Command t.co/2xs3pvudOz via @nixcraft
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. -Tim Berners-Lee
A strong free software movement focused on the principled issues of software freedom and a strong FSF in particular will determine what freedoms the next generation of computer users enjoy. At stake is no less than the next generation's autonomy. -Benjamin Mako Hill
The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman
It's very simple - you read the protocol and write the code. -Bill Joy
HTML | DCMI | GRDDL | OGP | XOXO | XDMP | XFN | DOM | XML | XHTML1.1 Strict | CSS2.1 | W3C |
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.
