#http://feeds.askapache.com/apache/htaccess RSS ATOM Advanced .htaccess Tricks for Securing Sites Password Protection Plugin Status meta Search Ultimate Htaccess Tutorial for .htaccess files FREE THOUGHT · FREE SOFTWARE · FREE WORL « Advanced .htaccess Tricks for Securing SitesPassword Protection Plugin Status » Ultimate Htaccess Tutorial for .htaccess files .htaccess file tutorial This is not an introduction to .htaccess… This is the evolution of .htaccess… The best of the best .htaccess info I can find. Originally known as the Ultimate .htaccess Guide, its changed over the years with more and better .htaccess tricks using real .htaccess example code. I add my favorite htaccess-related links and sites, results from my best .htaccess experiments, and frequently update this article. You’ve come to the right place if you are looking to acquire mad skills for using .htaccess files. Table of Contents 1. Evolution of Htaccess 2. Server Config (httpd.conf) Examples 3. Example .htaccess Files 4. Example .htaccess Code Snippets 5. NEW: Advanced Mod_Rewrite Tricks 6. Best AskApache .htaccess Articles 7. Favorite .htaccess Links 8. Master List of .htaccess Directives 9. Htaccess Modules List Htaccess – Evolved The Hyper Text Transfer Protocol (HTTP) was initiated at the CERN in Geneve (Switzerland), where it emerged (together with the HTML presentation language) from the need to exchange scientific information on a computer network in a simple manner. The first public HTTP implementation only allowed for plain text information, and almost instantaneously became a replacement of the GOPHER service. One of the first text-based browsers was LYNX which still exists today; a graphical HTTP client appeared very quickly with the name NCSA Mosaic. Mosaic was a popular browser back in 1994. Soon the need for a more rich multimedia experience was born, and the markup language provided support for a growing multitude of media types. The following .htaccess tricks, .htaccess tips, examples, samples, tutorials, tools, and plethora of “How To” htaccess articles on creating and using htaccess files will do several things for you, just like its done for me. * Make your website noticeably faster. * Allow you to debug your server with ease. * Make your life easier and more rewarding. * Allow you to work faster and more productively. What Is .htaccess .htaccess is a very ancient configuration file that controls the Web Server running your website, and is one of the most powerful configuration files you will ever come across. Htaccess is sometimes called: “HyperText Access” because of its ability to control access of the WWW’s HyperText Transfer Protocol (HTTP) using Password Protection, Allow and Deny capabilities, and more. Specifically, .htaccess is the default file name of a special configuration file that provides a number of directives (commands) for controlling and configuring the Apache Web Server, and also to control and configure modules that can be built into the Apache installation, or included at run-time like mod_rewrite (for htaccess rewrite), mod_alias (for htaccess redirects), and mod_ssl (for controlling SSL connections). Htaccess allows for decentralized management of Web Server configurations which makes life very easy for web hosting companies and especially their savvy consumers. They set up and run “server farms” where many hundreds and thousands of web hosting customers are all put on the same Apache Server. This type of hosting is called “virtual hosting” and without .htaccess files would mean that every customer must use the same exact settings as everyone else on their segment. So that is why any half-decent web host allows/enables (DreamHost, Powweb, MediaTemple, GoDaddy) .htaccess files, though few people are aware of it. Let’s just say that if I was a customer on your server-farm, and .htaccess files were enabled, my websites would be a LOT faster than yours, as these configuration files allow you to fully take advantage of and utilize the resources allotted to you by your host. If even 1/10 of the sites on a server-farm took advantage of what they are paying for, the providers would go out of business. Configuration, commands and the like One of the design goals for this server was to maintain external compatibility with the NCSA 1.3 server — that is, to read the same configuration files, to process all the directives therein correctly, and in general to be a drop-in replacement for NCSA. On the other hand, another design goal was to move as much of the server’s functionality into modules which have as little as possible to do with the monolithic server core. The only way to reconcile these goals is to move the handling of most commands from the central server into the modules. However, just giving the modules command tables is not enough to divorce them completely from the server core. The server has to remember the commands in order to act on them later. That involves maintaining data which is private to the modules, and which can be either per-server, or per-directory. Most things are per-directory, including in particular access control and authorization information, but also information on how to determine file types from suffixes, which can be modified by AddType and DefaultType directives, and so forth. In general, the governing philosophy is that anything which can be made configurable by directory should be; per-server information is generally used in the standard set of modules for information like Aliases and Redirects which come into play before the request is tied to a particular place in the underlying file system. Another requirement for emulating the NCSA server is being able to handle the per-directory configuration files, generally called .htaccess files, though even in the NCSA server they can contain directives which have nothing at all to do with access control. Accordingly, after URI -> filename translation, but before performing any other phase, the server walks down the directory hierarchy of the underlying filesystem, following the translated pathname, to read any .htaccess files which might be present. The information which is read in then has to be merged with the applicable information from the server’s own config files (either from the sections in access.conf, or from defaults in srm.conf, which actually behaves for most purposes almost exactly like ). Finally, after having served a request which involved reading .htaccess files, we need to discard the storage allocated for handling them. That is solved the same way it is solved wherever else similar problems come up, by tying those structures to the per-transaction resource pool. Creating Htaccess Files What an Htaccess File Looks Like in Windows Explorer Htaccess files use the default filename “.htaccess” but any unix-style file name can be specified from the main server config using the AccessFileName directive. The file isn’t .htaccess.txt, its literally just named .htaccess. View .htaccess files In a Windows Environment like the one I use for work, you can change how Windows opens and views .htaccess files by modifying the Folder Options in explorer. As you can see, on my computer files ending in .htaccess are recognized as having the HTACCESS extension and are handled/opened by Adobe Dreamweaver CS4. Htaccess Scope Unlike the main server configuration files like httpd.conf, Htaccess files are read on every request therefore changes in these files take immediate effect. Apache searches all directories and subdirectories that are htaccess-enabled for an .htaccess file which results in performance loss due to file accesses. I’ve never noticed a performance loss but OTOH, I know how to use them. If you do have access to your main server configuration file, you should of course use that instead, and lucky for you ALL the .htaccess tricks and examples can be used there as well (just not vice versa). Htaccess File Syntax Htaccess files follow the same syntax as the main Apache configuration files, for powerusers here’s an apache.vim for VI. The one main difference is the context of the directive, which means whether or not that directive is ALLOWED to be used inside of an .htaccess file. Htaccess files are incredibly powerful, and can also be very dangerous as some directives allowed in the main configuration files would allow users/customers to completely bypass security/bandwidth-limits/resource-limits/file-permissions, etc.. About 1/4 of all Apache directives cannot be used inside an .htaccess file (also known as a per-directory context config). The Apache Developers are well-regarded throughout the world as being among some of the best programmers, ever. To enable a disallowed directive inside a .htaccess file would require modifying the source code and re-compiling the server (which they allow and encourage if you are the owner/admin). Here’s a taste of that famous Apache source code that builds the directives allowed in .htaccess file context, the key that tells whether its enabled in .htaccess context is the DIR_CMD_PERMS and then the OR_FILEINFO, which means a directive is enabled dependent on the AllowOverride directive that is only allowed in the main config. First Apache 1.3.0, then Apache 2.2.10 //mod_autoindex AddIcon, add_icon, BY_PATH, DIR_CMD_PERMS, an icon URL followed by one or more filenames AddIconByType, add_icon, BY_TYPE, DIR_CMD_PERMS, an icon URL followed by one or more MIME types AddIconByEncoding, add_icon, BY_ENCODING, DIR_CMD_PERMS, an icon URL followed by one or more content encodings AddAlt, add_alt, BY_PATH, DIR_CMD_PERMS, alternate descriptive text followed by one or more filenames AddAltByType, add_alt, BY_TYPE, DIR_CMD_PERMS, alternate descriptive text followed by one or more MIME types AddAltByEncoding, add_alt, BY_ENCODING, DIR_CMD_PERMS, alternate descriptive text followed by one or more content encodings IndexOptions, add_opts, DIR_CMD_PERMS, RAW_ARGS, one or more index options IndexIgnore, add_ignore, DIR_CMD_PERMS, ITERATE, one or more file extensions AddDescription, add_desc, BY_PATH, DIR_CMD_PERMS, Descriptive text followed by one or more filenames HeaderName, add_header, DIR_CMD_PERMS, TAKE1, a filename ReadmeName, add_readme, DIR_CMD_PERMS, TAKE1, a filename FancyIndexing, fancy_indexing, DIR_CMD_PERMS, FLAG, Limited to 'on' or 'off' (superseded by IndexOptions FancyIndexing) DefaultIcon, ap_set_string_slot, (void *) XtOffsetOf(autoindex_config_rec, default_icon), DIR_CMD_PERMS, TAKE1, an icon URL // mod_rewrite RewriteEngine, cmd_rewriteengine, OR_FILEINFO, On or Off to enable or disable (default) RewriteOptions, cmd_rewriteoptions, OR_FILEINFO, List of option strings to set RewriteBase, cmd_rewritebase, OR_FILEINFO, the base URL of the per-directory context RewriteCond, cmd_rewritecond, OR_FILEINFO, an input string and a to be applied regexp-pattern RewriteRule, cmd_rewriterule, OR_FILEINFO, an URL-applied regexp-pattern and a substitution URL RewriteMap, cmd_rewritemap, RSRC_CONF, a mapname and a filename RewriteLock, cmd_rewritelock, RSRC_CONF, the filename of a lockfile used for inter-process synchronization RewriteLog, cmd_rewritelog, RSRC_CONF, the filename of the rewriting logfile RewriteLogLevel, cmd_rewriteloglevel, RSRC_CONF, the level of the rewriting logfile verbosity (0=none, 1=std, .., 9=max) RewriteLog, fake_rewritelog, RSRC_CONF, [DISABLED] the filename of the rewriting logfile RewriteLogLevel, fake_rewritelog, RSRC_CONF, [DISABLED] the level of the rewriting logfile verbosity Htaccess Directives Don’t ask why, but I personally downloaded each major/beta release of the Apache HTTPD source code from version 1.3.0 to version 2.2.10 (all 63 Apache versions!), then I configured and compiled each version for a custom HTTPD installation built from source. This allowed me to find every directive allowed in .htaccess files for each particular version, which has never been done before, or since. YES! I think that is so cool.. An .htaccess directive is basically a command that is specific to a module or builtin to the core that performs a specific task or sets a specific setting for how Apache serves your WebSite. Directives placed in Htaccess files apply to the directory they are in, and all sub-directories. Here’s the 3 top links (official Apache Docs) you will repeatedly use, bookmark/print/save them. htaccess Context Legend 1. Terms Used to Describe Directives 2. Official List of Apache Directives 3. Directive Quick-Reference — with Context ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Litespeed .htaccess support Unlike other lightweight web servers, Apache compatible per-directory configuration overridden is fully supported by LiteSpeed Web Server. With .htacess you can change configurations for any directory under document root on-the-fly, which in most cases is a mandatory feature in shared hosting environment. It is worth noting that enabling .htaccess support in LiteSpeed Web Server will not degrade server’s performance, comparing to Apache’s 40% drop in performance. Main Server Config Examples Now lets take a look at some htaccess examples to get a feel for the syntax and some general ideas at the capabilities. Some of the best examples for .htaccess files are included with Apache for main server config files, so lets take a quick look at a couple of them on our way down to the actual .htaccess examples further down the page (this site has thousands, take your time). As you can see, the basic syntax is a line starting with # is a comment, everything else are directives followed by the directive argument. httpd-multilang-errordoc.conf: The configuration below implements multi-language error documents through content-negotiation Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr ForceLanguagePriority Prefer Fallback ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var httpd-manual.conf: Provide local access to the server documentation on your server SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br|ru|tr)/ prefer-language=$1 RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br|ru|tr)){2, }(/.*)?$ /manual/$1$2 LanguagePriority en de es fr ja ko pt-br ru tr ForceLanguagePriority Prefer Fallback httpd-languages.conf: Settings for hosting different languages. DefaultLanguage en AddLanguage ca .ca # Just list the languages in decreasing order of preference. LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW # Commonly used filename extensions to character sets. AddCharset us-ascii.ascii .us-ascii AddCharset ISO-8859-1 .iso8859-1 .latin1 httpd-autoindex.conf: Directives controlling the display of server-generated directory listings. # IndexOptions: Controls the appearance of server-generated directory listings. IndexOptions FancyIndexing HTMLTable VersionSort # AddIcon* directives tell the server which icon to show for different files or filename extensions. AddIconByEncoding (CMP, /icons/compressed.gif) x-compress x-gzip AddIconByType (TXT, /icons/text.gif) text/* AddIcon /icons/folder.gif ^^DIRECTORY^^ # DefaultIcon is which icon to show for files which do not have an icon explicitly set. DefaultIcon /icons/unknown.gif # AddDescription allows you to place a short description after a file in server-generated indexes. AddDescription "GZIP compressed document" .gz # ReadmeName is the name of the README file the server will look for by default, and append to directory listings. ReadmeName README.html # HeaderName is the name of a file which should be prepended to directory indexes. HeaderName HEADER.html Here are the rest of them if you wanna take a look. (httpd-mpm.conf, httpd-default.conf, httpd-ssl.conf, httpd-info.conf, httpd-vhosts.conf, httpd-dav.conf) ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Example .htaccess Files Here are some samples and examples taken from different .htaccess files I’ve used over the years. Specific solutions are farther down on this page and throughout the site. # Set the Time Zone of your Server SetEnv TZ America/Las_Vegas # ServerAdmin: This address appears on some server-generated pages, such as error documents. SetEnv SERVER_ADMIN webmaster@askapache.com # Possible values for the Options directive are "None", "All", or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews Options -ExecCGI -MultiViews -Includes -Indexes FollowSymLinks # DirectoryIndex: sets the file that Apache will serve if a directory is requested. DirectoryIndex index.html index.php /index.php # # Action lets you define media types that will execute a script whenever # a matching file is called. This eliminates the need for repeated URL # pathnames for oft-used CGI file processors. # Format: Action media/type /cgi-script/location # Format: Action handler-name /cgi-script/location # Action php5-cgi /bin/php.cgi # # AddHandler allows you to map certain file extensions to "handlers": # actions unrelated to filetype. These can be either built into the server # or added with the Action directive (see below) # # To use CGI scripts outside of ScriptAliased directories: # (You will also need to add "ExecCGI" to the "Options" directive.) # AddHandler php-cgi .php .inc # Commonly used filename extensions to character sets. AddDefaultCharset UTF-8 # AddType allows you to add to or override the MIME configuration AddType 'application/rdf+xml; charset=UTF-8' .rdf AddType 'application/xhtml+xml; charset=UTF-8' .xhtml AddType 'application/xhtml+xml; charset=UTF-8' .xhtml.gz AddType 'text/html; charset=UTF-8' .html AddType 'text/html; charset=UTF-8' .html.gz AddType application/octet-stream .rar .chm .bz2 .tgz .msi .pdf .exe AddType application/vnd.ms-excel .csv AddType application/x-httpd-php-source .phps AddType application/x-pilot .prc .pdb AddType application/x-shockwave-flash .swf AddType application/xrds+xml .xrdf AddType text/plain .ini .sh .bsh .bash .awk .nawk .gawk .csh .var .c .in .h .asc .md5 .sha .sha1 AddType video/x-flv .flv # AddEncoding allows you to have certain browsers uncompress information on the fly. Note: Not all browsers support this. AddEncoding x-compress .Z AddEncoding x-gzip .gz .tgz # DefaultType: the default MIME type the server will use for a document. DefaultType text/html # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail # ServerSignature Off ## MAIN DEFAULTS Options +ExecCGI -Indexes DirectoryIndex index.html index.htm index.php DefaultLanguage en-US AddDefaultCharset UTF-8 ServerSignature Off ## ENVIRONMENT VARIABLES SetEnv PHPRC /webroot/includes SetEnv TZ America/Las_Vegas SetEnv SERVER_ADMIN webmaster@askapache.com ## MIME TYPES AddType video/x-flv .flv AddType application/x-shockwave-flash .swf AddType image/x-icon .ico ## FORCE FILE TO DOWNLOAD INSTEAD OF APPEAR IN BROWSER # http://www.htaccesselite.com/addtype-addhandler-action-vf6.html AddType application/octet-stream .mov .mp3 .zip ## ERRORDOCUMENTS # http://askapache.com/htaccess/apache-status-code-headers-errordocument/ ErrorDocument 400 /e400/ ErrorDocument 401 /e401/ ErrorDocument 402 /e402/ ErrorDocument 403 /e403/ ErrorDocument 404 /e404/ # # Handlers be builtin, included in a module, or added with Action directive # default-handler: default, handles static content (core) # send-as-is: Send file with HTTP headers (mod_asis) # cgi-script: treat file as CGI script (mod_cgi) # imap-file: Parse as an imagemap rule file (mod_imap) # server-info: Get server config info (mod_info) # server-status: Get server status report (mod_status) # type-map: type map file for content negotiation (mod_negotiation) # fastcgi-script: treat file as fastcgi script (mod_fastcgi) # # https://www.askapache.com/php/custom-phpini-tips-and-tricks/ ## PARSE AS CGI AddHandler cgi-script .cgi .pl .spl ## RUN PHP AS APACHE MODULE AddHandler application/x-httpd-php .php .htm ## RUN PHP AS CGI AddHandler php-cgi .php .htm ## CGI PHP WRAPPER FOR CUSTOM PHP.INI AddHandler phpini-cgi .php .htm Action phpini-cgi /cgi-bin/php5-custom-ini.cgi ## FAST-CGI SETUP WITH PHP-CGI WRAPPER FOR CUSTOM PHP.INI AddHandler fastcgi-script .fcgi AddHandler php-cgi .php .htm Action php-cgi /cgi-bin/php5-wrapper.fcgi ## CUSTOM PHP CGI BINARY SETUP AddHandler php-cgi .php .htm Action php-cgi /cgi-bin/php.cgi ## PROCESS SPECIFIC FILETYPES WITH CGI-SCRIPT Action image/gif /cgi-bin/img-create.cgi ## CREATE CUSTOM HANDLER FOR SPECIFIC FILE EXTENSIONS AddHandler custom-processor .ssp Action custom-processor /cgi-bin/myprocessor.cgi ### HEADER CACHING # https://www.askapache.com/htaccess/speed-up-sites-with-htaccess-caching/ <FilesMatch "\.(flv|gif|jpg|jpeg|png|ico)$"> Header set Cache-Control "max-age=2592000" </FilesMatch> <FilesMatch "\.(js|css|pdf|swf)$"> Header set Cache-Control "max-age=604800" </FilesMatch> <FilesMatch "\.(html|htm|txt)$"> Header set Cache-Control "max-age=600" </FilesMatch> <FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$"> Header unset Cache-Control </FilesMatch> ## ALTERNATE EXPIRES CACHING # htaccesselite.com/d/use-htaccess-to-speed-up-your-site-discussion-vt67.html ExpiresActive On ExpiresDefault A604800 ExpiresByType image/x-icon A2592000 ExpiresByType application/x-javascript A2592000 ExpiresByType text/css A2592000 ExpiresByType text/html A300 <FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$"> ExpiresActive Off </FilesMatch> ## META HTTP-EQUIV REPLACEMENTS <FilesMatch "\.(html|htm|php)$"> Header set imagetoolbar "no" </FilesMatch> Here are some default MOD_REWRITE code examples. ## REWRITE DEFAULTS RewriteEngine On RewriteBase / ## REQUIRE SUBDOMAIN RewriteCond %{HTTP_HOST} !^$ RewriteCond %{HTTP_HOST} !^subdomain\.askapache\.com$ [NC] RewriteRule ^/(.*)$ http://subdomain.askapache.com/$1 [L,R=301] ## SEO REWRITES RewriteRule ^(.*)/ve/(.*)$ $1/voluntary-employee/$2 [L,R=301] RewriteRule ^(.*)/hsa/(.*)$ $1/health-saving-account/$2 [L,R=301] ## WORDPRESS RewriteCond %{REQUEST_FILENAME} !-f # Existing File RewriteCond %{REQUEST_FILENAME} !-d # Existing Directory RewriteRule . /index.php [L] ## ALTERNATIVE ANTI-HOTLINKING RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(subdomain\.)?askapache.com/.*$ [NC] RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ - [F] ## REDIRECT HOTLINKERS RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(subdomain\.)?askapache.com/.*$ [NC] RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ http://google.com [R] ## DENY REQUEST BASED ON REQUEST METHOD RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)$ [NC] RewriteRule ^.*$ - [F] ## REDIRECT UPLOADS RewriteCond %{REQUEST_METHOD} ^(PUT|POST)$ [NC] RewriteRule ^(.*)$ /cgi-bin/form-upload-processor.cgi?p=$1 [L,QSA] ## REQUIRE SSL EVEN WHEN MOD_SSL IS NOT LOADED RewriteCond %{HTTPS} !=on [NC] RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L] ### ALTERNATATIVE TO USING ERRORDOCUMENT # http://www.htaccesselite.com/d/htaccess-errordocument-examples-vt11.html RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^.*$ /error.php [L] ## SEO REDIRECTS Redirect 301 /2006/oldfile.html http://subdomain.askapache.com/newfile/ RedirectMatch 301 /o/(.*)$ http://subdomain.askapache.com/s/dl/$1 Examples of protecting your files and securing with password protection. # # Require (user|group|valid-user) (username|groupname) # ## BASIC PASSWORD PROTECTION AuthType basic AuthName "prompt" AuthUserFile /.htpasswd AuthGroupFile /dev/null Require valid-user ## ALLOW FROM IP OR VALID PASSWORD Require valid-user Allow from 192.168.1.23 Satisfy Any ## PROTECT FILES <FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$"> Order Allow,Deny Deny from all </FilesMatch> ## PREVENT HOTLINKING SetEnvIfNoCase Referer "^http://subdomain.askapache.com/" good SetEnvIfNoCase Referer "^$" good <FilesMatch "\.(png|jpg|jpeg|gif|bmp|swf|flv)$"> Order Deny,Allow Deny from all Allow from env=good ErrorDocument 403 http://www.google.com/intl/en_ALL/images/logo.gif ErrorDocument 403 /images/you_bad_hotlinker.gif </FilesMatch> ## LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK #bytes, 0-2147483647(2GB) LimitRequestBody 10240000 ## MOST SECURE WAY TO REQUIRE SSL # https://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples/ SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "askapache.com" ErrorDocument 403 https://askapache.com ## COMBINED DEVELOPER HTACCESS CODE-USE THIS <FilesMatch "\.(flv|gif|jpg|jpeg|png|ico|js|css|pdf|swf|html|htm|txt)$"> Header set Cache-Control "max-age=5" </FilesMatch> AuthType basic AuthName "Ooops! Temporarily Under Construction..." AuthUserFile /.htpasswd AuthGroupFile /dev/null Require valid-user # password prompt for everyone else Order Deny,Allow Deny from all Allow from 192.168.64.5 # Your, the developers IP address Allow from w3.org # css/xhtml check jigsaw.w3.org/css-validator/ Allow from googlebot.com # Allows google to crawl your pages Satisfy Any # no password required if host/ip is Allowed ## DONT HAVE TO EMPTY CACHE OR RELOAD TO SEE CHANGES ExpiresDefault A5 #If using mod_expires <FilesMatch "\.(flv|gif|jpg|jpeg|png|ico|js|css|pdf|swf|html|htm|txt)$"> Header set Cache-Control "max-age=5" </FilesMatch> ## ALLOW ACCESS WITH PASSWORD OR NO PASSWORD FOR SPECIFIC IP/HOSTS AuthType basic AuthName "Ooops! Temporarily Under Construction..." AuthUserFile /.htpasswd AuthGroupFile /dev/null Require valid-user # password prompt for everyone else Order Deny,Allow Deny from all Allow from 192.168.64.5 # Your, the developers IP address Allow from w3.org # css/xhtml check jigsaw.w3.org/css-validator/ Allow from googlebot.com # Allows google to crawl your pages Satisfy Any # no password required if host/ip is Allowed ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Example .htaccess Code Snippets Here are some specific examples, this is the most popular section of this page. Updated frequently. Redirect Everyone Except IP address to alternate page ErrorDocument 403 http://www.yahoo.com/ Order deny,allow Deny from all Allow from 208.113.134.190 When developing sites This lets google crawl the page, lets me access without a password, and lets my client access the page WITH a password. It also allows for XHTML and CSS validation! (w3.org) AuthName "Under Development" AuthUserFile /home/sitename.com/.htpasswd AuthType basic Require valid-user Order deny,allow Deny from all Allow from 208.113.134.190 w3.org htmlhelp.com googlebot.com Satisfy Any Fix double-login prompt Redirect non-https requests to https server and ensure that .htpasswd authorization can only be entered across HTTPS SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "askapache.com" ErrorDocument 403 https://askapache.com Set Timezone of the Server (GMT) SetEnv TZ America/Las_Vegas Administrator Email for ErrorDocument SetEnv SERVER_ADMIN webmaster@google.com ServerSignature for ErrorDocument ServerSignature off | on | email Charset and Language headers Article: Setting Charset in htaccess, and article by Richard Ishida AddDefaultCharset UTF-8 DefaultLanguage en-US Disallow Script Execution Options -ExecCGI AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Deny Request Methods RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|OPTIONS|POST|PUT) RewriteRule .* - [F] Force “File Save As” Prompt AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4 Show CGI Source Code RemoveHandler cgi-script .pl .py .cgi AddType text/plain .pl .py .cgi Serve all .pdf files on your site using .htaccess and mod_rewrite with the php script. RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} -f RewriteRule ^(.+)\.pdf$ /cgi-bin/pdf.php?file=$1 [L,NC,QSA] Rewrite to www RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$ RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC] RewriteRule ^(.*)$ https://www.askapache.com/$1 [R=301,L] Rewrite to www dynamically RewriteCond %{REQUEST_URI} !^/robots\.txt$ [NC] RewriteCond %{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC] RewriteCond %{HTTP_HOST} ([a-z-]+\.[a-z]{2,6})$ [NC] RewriteRule ^/(.*)$ http://%1/$1 [R=301,L] 301 Redirect Old File Redirect 301 /old/file.html https://www.askapache.com/new/file/ 301 Redirect Entire Directory RedirectMatch 301 /blog(.*) https://www.askapache.com/$1 Protecting your php.cgi <FilesMatch "^php5?\.(ini|cgi)$"> Order Deny,Allow Deny from All Allow from env=REDIRECT_STATUS </FilesMatch> Set Cookie based on Request This code sends the Set-Cookie header to create a cookie on the client with the value of a matching item in 2nd parantheses. RewriteEngine On RewriteBase / RewriteRule ^(.*)(de|es|fr|it|ja|ru|en)/$ - [co=lang:$2:.askapache.com:7200:/] Set Cookie with env variable Header set Set-Cookie "language=%{lang}e; path=/;" env=lang Custom ErrorDocuments ErrorDocument 100 /100_CONTINUE ErrorDocument 101 /101_SWITCHING_PROTOCOLS ErrorDocument 102 /102_PROCESSING ErrorDocument 200 /200_OK ErrorDocument 201 /201_CREATED ErrorDocument 202 /202_ACCEPTED ErrorDocument 203 /203_NON_AUTHORITATIVE ErrorDocument 204 /204_NO_CONTENT ErrorDocument 205 /205_RESET_CONTENT ErrorDocument 206 /206_PARTIAL_CONTENT ErrorDocument 207 /207_MULTI_STATUS ErrorDocument 300 /300_MULTIPLE_CHOICES ErrorDocument 301 /301_MOVED_PERMANENTLY ErrorDocument 302 /302_MOVED_TEMPORARILY ErrorDocument 303 /303_SEE_OTHER ErrorDocument 304 /304_NOT_MODIFIED ErrorDocument 305 /305_USE_PROXY ErrorDocument 307 /307_TEMPORARY_REDIRECT ErrorDocument 400 /400_BAD_REQUEST ErrorDocument 401 /401_UNAUTHORIZED ErrorDocument 402 /402_PAYMENT_REQUIRED ErrorDocument 403 /403_FORBIDDEN ErrorDocument 404 /404_NOT_FOUND ErrorDocument 405 /405_METHOD_NOT_ALLOWED ErrorDocument 406 /406_NOT_ACCEPTABLE ErrorDocument 407 /407_PROXY_AUTHENTICATION_REQUIRED ErrorDocument 408 /408_REQUEST_TIME_OUT ErrorDocument 409 /409_CONFLICT ErrorDocument 410 /410_GONE ErrorDocument 411 /411_LENGTH_REQUIRED ErrorDocument 412 /412_PRECONDITION_FAILED ErrorDocument 413 /413_REQUEST_ENTITY_TOO_LARGE ErrorDocument 414 /414_REQUEST_URI_TOO_LARGE ErrorDocument 415 /415_UNSUPPORTED_MEDIA_TYPE ErrorDocument 416 /416_RANGE_NOT_SATISFIABLE ErrorDocument 417 /417_EXPECTATION_FAILED ErrorDocument 422 /422_UNPROCESSABLE_ENTITY ErrorDocument 423 /423_LOCKED ErrorDocument 424 /424_FAILED_DEPENDENCY ErrorDocument 426 /426_UPGRADE_REQUIRED ErrorDocument 500 /500_INTERNAL_SERVER_ERROR ErrorDocument 501 /501_NOT_IMPLEMENTED ErrorDocument 502 /502_BAD_GATEWAY ErrorDocument 503 /503_SERVICE_UNAVAILABLE ErrorDocument 504 /504_GATEWAY_TIME_OUT ErrorDocument 505 /505_VERSION_NOT_SUPPORTED ErrorDocument 506 /506_VARIANT_ALSO_VARIES ErrorDocument 507 /507_INSUFFICIENT_STORAGE ErrorDocument 510 /510_NOT_EXTENDED Implementing a Caching Scheme with .htaccess # year <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|mp3|mp4)$"> Header set Cache-Control "public" Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT" Header unset Last-Modified </FilesMatch> #2 hours <FilesMatch "\.(html|htm|xml|txt|xsl)$"> Header set Cache-Control "max-age=7200, must-revalidate" </FilesMatch> <FilesMatch "\.(js|css)$"> SetOutputFilter DEFLATE Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT" </FilesMatch> Password Protect single file <Files login.php> AuthName "Prompt" AuthType Basic AuthUserFile /home/askapache.com/.htpasswd Require valid-user </Files> Password Protect multiple files <FilesMatch "^(private|phpinfo)\.*$"> AuthName "Development" AuthUserFile /.htpasswd AuthType basic Require valid-user </FilesMatch> Send Custom Headers Header set P3P "policyref=\"https://www.askapache.com/w3c/p3p.xml\"" Header set X-Pingback "https://www.askapache.com/xmlrpc.php" Header set Content-Language "en-US" Header set Vary "Accept-Encoding" Blocking based on User-Agent Header SetEnvIfNoCase ^User-Agent$ .*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures) HTTP_SAFE_BADBOT SetEnvIfNoCase ^User-Agent$ .*(libwww-perl|aesop_com_spiderman) HTTP_SAFE_BADBOT Deny from env=HTTP_SAFE_BADBOT Blocking with RewriteCond RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC] RewriteRule . - [F,L] .htaccess for mod_php SetEnv PHPRC /location/todir/containing/phpinifile .htaccess for php as cgi AddHandler php-cgi .php .htm Action php-cgi /cgi-bin/php5.cgi Shell wrapper for custom php.ini #!/bin/sh export PHP_FCGI_CHILDREN=3 exec php5.cgi -c /abs/php5/php.ini Add values from HTTP Headers SetEnvIfNoCase ^If-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1 SetEnvIfNoCase ^If-None-Match$ "(.+)" HTTP_IF_NONE_MATCH=$1 SetEnvIfNoCase ^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1 SetEnvIfNoCase ^Connection$ "(.+)" HTTP_CONNECTION=$1 SetEnvIfNoCase ^Keep-Alive$ "(.+)" HTTP_KEEP_ALIVE=$1 SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1 SetEnvIfNoCase ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1 Stop hotlinking RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?askapache.com/.*$ [NC] RewriteRule \.(gif|jpg|swf|flv|png)$ https://www.askapache.com/feed.gif [R=302,L] Turn logging off for IP SecFilterSelective REMOTE_ADDR "208\.113\.183\.103" "nolog,noauditlog,pass" Turn logging on for IP SecFilterSelective REMOTE_ADDR "!^208\.113\.183\.103" "nolog,noauditlog,pass" SecFilterSelective REMOTE_ADDR "208\.113\.183\.103" "log,auditlog,pass" ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Advanced Mod_Rewrite Examples Here are some specific examples taken mostly from my WordPress Password Protection plugin, that also does alot more than password protection as you can see from the following mod_rewrite examples. These are a few of the mod_rewrite uses that BlogSecurity declared pushed the boundaries of Mod_Rewrite! Some of these snippets are quite exotic and unlike anything you may have seen before, also only for those who understand them as they can kill a website pretty quick. Directory Protection Enable the DirectoryIndex Protection, preventing directory index listings and defaulting. [Disable] Options -Indexes DirectoryIndex index.html index.php /index.php Password Protect wp-login.php Requires a valid user/pass to access the login page[401] <Files wp-login.php> Order Deny,Allow Deny from All Satisfy Any AuthName "Protected By AskApache" AuthUserFile /home/askapache.com/.htpasswda1 AuthType Basic Require valid-user </Files> Password Protect wp-admin Requires a valid user/pass to access any non-static (css, js, images) file in this directory.[401] Options -ExecCGI -Indexes +FollowSymLinks -Includes DirectoryIndex index.php /index.php Order Deny,Allow Deny from All Satisfy Any AuthName "Protected By AskApache" AuthUserFile /home/askapache.com/.htpasswda1 AuthType Basic Require valid-user <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$"> Allow from All </FilesMatch> <FilesMatch "(async-upload)\.php$"> <IfModule mod_security.c> SecFilterEngine Off </IfModule> Allow from All </FilesMatch> Protect wp-content Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [401] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC] RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$ RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$ RewriteRule .* - [F,NS,L] Protect wp-includes Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [403] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC] RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC] RewriteCond %{REQUEST_FILENAME} ^.+\.php$ RewriteRule .* - [F,NS,L] Common Exploits Block common exploit requests with 403 Forbidden. These can help alot, may break some plugins. [403] RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC] RewriteRule .* - [F,NS,L] Stop Hotlinking Denies any request for static files (images, css, etc) if referrer is not local site or empty. [403] RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteCond %{HTTP_REFERER} !^https://www.askapache.com.*$ [NC] RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$ - [F,NS,L] Safe Request Methods Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD[403] RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC] RewriteRule .* - [F,NS,L] Forbid Proxies Denies any POST Request using a Proxy Server. Can still access site, but not comment. See Perishable Press [403] RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$ RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .* - [F,NS,L] Real wp-comments-post.php Denies any POST attempt made to a non-existing wp-comments-post.php[403] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC] RewriteRule .* - [F,NS,L] HTTP PROTOCOL Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only[403] RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC] RewriteRule .* - [F,NS,L] SPECIFY CHARACTERS Denies any request for a url containing characters other than “a-zA-Z0-9.+/-?=&” – REALLY helps but may break your site depending on your links. [403] RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC] RewriteRule .* - [F,NS,L] BAD Content Length Denies any POST request that doesnt have a Content-Length Header[403] RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP:Content-Length} ^$ RewriteCond %{REQUEST_URI} !^/(wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .* - [F,NS,L] BAD Content Type Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data[403] RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC] RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .* - [F,NS,L] Missing HTTP_HOST Denies requests that dont contain a HTTP HOST Header.[403] RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteCond %{HTTP_HOST} ^$ RewriteRule .* - [F,NS,L] Bogus Graphics Exploit Denies obvious exploit using bogus graphics[403] RewriteCond %{HTTP:Content-Disposition} \.php [NC] RewriteCond %{HTTP:Content-Type} image/.+ [NC] RewriteRule .* - [F,NS,L] No UserAgent, Not POST Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING. [403] RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP_USER_AGENT} ^-?$ RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .* - [F,NS,L] No Referer, No Comment Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING. [403] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC] RewriteCond %{HTTP_REFERER} ^-?$ RewriteRule .* - [F,NS,L] Trackback Spam Denies obvious trackback spam. See Holy Shmoly! [403] RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC] RewriteRule .* - [F,NS,L] Map all URIs except those corresponding to existing files to a handler RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f RewriteRule . /script.php Map any request to a handler In the case where all URIs should be sent to the same place (including potentially requests for static content) the method to use depends on the type of the handler. For php scripts, use: For other handlers such as php scripts, use: RewriteEngine On RewriteCond %{REQUEST_URI} !=/script.php RewriteRule .* /script.php And for CGI scripts: ScriptAliasMatch .* /var/www/script.cgi Map URIs corresponding to existing files to a handler instead RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteCond %{REQUEST_URI} !=/script.php RewriteRule .* /script.php If the existing files you wish to have handled by your script have a common set of file extensions distinct from that of the hander, you can bypass mod_rewrite and use instead mod_actions. Let’s say you want all .html and .tpl files to be dealt with by your script: Action foo-action /script.php AddHandler foo-action html tpl Deny access if var=val contains the string foo. RewriteCond %{QUERY_STRING} foo RewriteRule ^/url - [F] Removing the Query String RewriteRule ^/url /url? Adding to the Query String Keep the existing query string using the Query String Append flag, but add var=val to the end. RewriteRule ^/url /url?var=val [QSA] Rewriting For Certain Query Strings Rewrite URLs like http://askapache.com/url1?var=val to http://askapache.com/url2?var=val but don’t rewrite if val isn’t present. RewriteCond %{QUERY_STRING} val RewriteRule ^/url1 /url2 Modifying the Query String Change any single instance of val in the query string to other_val when accessing /path. Note that %1 and %2 are back-references to the matched part of the regular expression in the previous RewriteCond. RewriteCond %{QUERY_STRING} ^(.*)val(.*)$ RewriteRule /path /path?%1other_val%2 ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Best .htaccess Articles .htaccess for Webmasters * Process certain requests for files using a cgi script * Process Requests with certain Request Methods * Make any file be a certain filetype * Use IfModule directive for robust code Mod_Rewrite URL Rewriting Undocumented techniques and methods will allow you to utilize mod_rewrite at an “expert level” by showing you how to unlock its secrets. * Check for a key in QUERY_STRING * Block access to files during certain hours of the day * Rewrite underscores to hyphens for SEO URL * Redirecting Wordpress Feeds to Feedburner 301 Redirects without mod_rewrite * Redirect single url * Redirect to new Domain Secure PHP with .htaccess Locking down your php.ini and php cgi with .htaccess If you have a php.cgi or php.ini file in your /cgi-bin/ directory or other pub directory, try requesting them from your web browser. If your php.ini shows up or worse you are able to execute your php cgi, you’ll need to secure it ASAP. This shows several ways to secure these files, and other interpreters like perl, fastCGI, bash, csh, etc. .htaccess Cookie Manipulation Cookie Manipulation in .htaccess with RewriteRule Fresh .htaccess code for you! Check out the Cookie Manipulation and environment variable usage with mod_rewrite! I also included a couple Mod_Security .htaccess examples. Enjoy! * Mod_Rewrite .htaccess Examples * Cookie Manipulation and Tests with mod_rewrite * Setting Environment Variables * Using the Environment Variable * Mod_Security .htaccess Examples .htaccess Caching * Speed Up Sites with htaccess Caching * htaccess time cheat sheet Password Protection and Authentication * Require password for single file * Example .htaccess file for password protection Control HTTP Headers * Prevent Caching 100% * Remove IE imagetoolbar without meta tag * Add Privacy (P3P) Header to your site * Add language and charset headers without meta tags Blocking Spam and bad Bots Block Bad Robot Want to block a bad robot or web scraper using .htaccess files? Here are 2 methods that illustrate blocking 436 various user-agents. You can block them using either SetEnvIf methods, or by using Rewrite Blocks. PHP htaccess tips By using some cool .htaccess tricks we can control PHP to be run as a cgi or a module. If php is run as a cgi then we need to compile it ourselves or use .htaccess to force php to use a local php.ini file. If it is running as a module then we can use various directives supplied by that modules in .htaccess * When php run as CGI * Use a custom php.ini with mod_php or php as a cgi * When php run as Apache Module (mod_php) * When cgi php is run with wrapper (FastCGI) HTTP to HTTPS Redirects with mod_rewrite HTTP to HTTPS Redirects with mod_rewrite This is freaking sweet if you use SSL I promise you! Basically instead of having to check for HTTPS using a RewriteCond %{HTTPS} =on for every redirect that can be either HTTP or HTTPS, I set an environment variable once with the value “http” or “https” if HTTP or HTTPS is being used for that request, and use that env variable in the RewriteRule. SSL in .htaccess * Redirect non-https requests to https server * Rewrite non-https to HTTPS without mod_ssl! * Redirect everything served on port 80 to HTTPS URI SetEnvIf and SetEnvIfNoCase in .htaccess * Unique mod_setenvif Variables * Populates HTTP_MY_ Variables with mod_setenvif variable values * Allows only if HOST Header is present in request * Add values from HTTP Headers Site Security with .htaccess chmod .htpasswd files 640, chmod .htaccess 644, php files 600, and chmod files that you really dont want people to see as 400. (NEVER chmod 777, try 766) * CHMOD your files * Prevent access to .htaccess and .htpasswd files * Show Source Code instead of executing * Securing directories: Remove ability to execute scripts * .htaccess ErrorDocuments .htaccess Security with MOD_SECURITY * mod_security + mod_rewrite * Block Spam by examining POST form fields * Disabling mod_security conditionally per IP * Disabling mod_security with .htaccess Authorization * Block WordPress Spam Forever! * Force Any Connections to be Paused a set number of ms * ModSecurity Debugging and Logging * Turn Off/On Logging JUST for your IP Address * Mod_Security Directives for DreamHost * Example httpd.conf mod_security rule files ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Merging Notes The order of merging is: 1. (except regular expressions) and .htaccess done simultaneously (with .htaccess, if allowed, overriding ) 2. (and ) 3. and done simultaneously 4. and done simultaneously Below is an artificial example to show the order of merging. Assuming they all apply to the request, the directives in this example will be applied in the order: A > B > C > D > E . <Location /> E </Location> <Files askapache.txt> D </Files> <VirtualHost *> <Directory /a/b> B </Directory> </VirtualHost> <DirectoryMatch "^.*b$"> C </DirectoryMatch> <Directory /a/b> A </Directory> My Favorite .htaccess Links These are just some of my favorite .htaccess resources. I’m really into doing your own hacking to get knowledge and these links are all great resources in that respect. I’m really interested in new or unusual htaccess solutions or htaccess hacks using .htaccess files, so let me know if you find one. NCSA HTTPd Tutorials Robert Hansen Here’s a great Hardening HTAccess part 1, part 2, part 3 article that goes into detail about some of the rarer security applications for .htaccess files. SAMAXES Some very detailed and helpful .htaccess articles, such as the “.htaccess – gzip and cache your site for faster loading and bandwidth saving.” PerishablePress Stupid .htaccess tricks is probably the best explanation online for many of the best .htaccess solutions, including many from this page. Unlike me they are fantastic writers, even for technical stuff they are very readable, so its a good blog to kick back on and read. They also have a fantastic article detailing how to block/deny specific requests using mod_rewrite. BlogSecurity Mostly a site for… blog security (which is really any web-app security) this blog has a few really impressive articles full of solid information for Hardening WordPress with .htaccess among more advanced topics that can be challenging but effective. This is a good site to subscribe to their feed, they publish plugin exploits and wordpress core vulnerabilities quite a bit. Check-These Oldschool security/unix dude with some incredibly detailed mod_rewrite tutorials, helped me the most when I first got into this, and a great guy too. See: Basic Mod_Rewrite Guide, and Advanced Mod_Rewrite Tutorial Reaper-X Alot of .htaccess tutorials and code. See: Hardening Wordpress with Mod Rewrite and htaccess jdMorgan jdMorgan is the Moderator of the Apache Forum at WebmasterWorld, a great place for answers. In my experience he can answer any tough question pertaining to advanced .htaccess usage, haven’t seen him stumped yet. The W3C Setting Charset in .htaccess is very informative. Holy Shmoly! A great blogger with analysis of attacks and spam. See: More ways to stop spammers and unwanted traffic. Apache Week A partnership with Red Hat back in the 90’s that produced some excellent documentation. Corz Here’s a resource that I consider to have some of the most creative and ingenious ideas for .htaccess files, although the author is somewhat of a character ;) Its a trip trying to navigate around the site, a fun trip. Its like nothing I’ve ever seen. There are only a few articles on the site, but the htaccess articles are very original and well-worth a look. See: htaccess tricks and tips. ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Htaccess Directives This is an AskApache.com exclusive you won’t find this anywhere else. Directory, DirectoryMatch, Files, FilesMatch, IfDefine, IfVersion, IfModule, Limit, LimitExcept, Location, LocationMatch, Proxy, ProxyMatch, VirtualHost, AcceptMutex, AcceptPathInfo, AccessFileName, Action, AddCharset, AddDefaultCharset, AddDescription, AddEncoding, AddHandler, AddInputFilter, AddLanguage, AddOutputFilter, AddOutputFilterByType, AddType, Alias, AliasMatch, AllowCONNECT, AllowOverride, Anonymous, Anonymous_Authoritative, Anonymous_LogEmail, Anonymous_MustGiveEmail, Anonymous_NoUserId, Anonymous_VerifyEmail, AuthAuthoritative, AuthDBMAuthoritative, AuthDBMGroupFile, AuthDBMType, AuthDBMUserFile, AuthDigestAlgorithm, AuthDigestDomain, AuthDigestFile, AuthDigestGroupFile, AuthDigestNcCheck, AuthDigestNonceFormat, AuthDigestNonceLifetime, AuthDigestQop, AuthDigestShmemSize, AuthGroupFile, AuthName, AuthType, AuthUserFile, BS2000Account, BrowserMatch, BrowserMatchNoCase, CacheNegotiatedDocs, CharsetDefault, CharsetOptions, CharsetSourceEnc, CheckSpelling, ContentDigest, CookieDomain, CookieExpires, CookieName, CookieStyle, CookieTracking, CoreDumpDirectory, DAV, DAVDepthInfinity, DAVMinTimeout, DefaultIcon, DefaultLanguage, DefaultType, DocumentRoot, ErrorDocument, ErrorLog, ExtFilterDefine, ExtFilterOptions, FancyIndexing, FileETag, ForceLanguagePriority, ForceType, GprofDir, Header, HeaderName, HostnameLookups, IdentityCheck, ImapBase, ImapDefault, ImapMenu, Include, IndexIgnore, LanguagePriority, LimitRequestBody, LimitRequestFields, LimitRequestFieldsize, LimitRequestLine, LimitXMLRequestBody, LockFile, LogLevel, MaxRequestsPerChild, MultiviewsMatch, NameVirtualHost, NoProxy, Options, PassEnv, PidFile, Port, ProxyBlock, ProxyDomain, ProxyErrorOverride, ProxyIOBufferSize, ProxyMaxForwards, ProxyPass, ProxyPassReverse, ProxyPreserveHost, ProxyReceiveBufferSize, ProxyRemote, ProxyRemoteMatch, ProxyRequests, ProxyTimeout, ProxyVia, RLimitCPU, RLimitMEM, RLimitNPROC, ReadmeName, Redirect, RedirectMatch, RedirectPermanent, RedirectTemp, RemoveCharset, RemoveEncoding, RemoveHandler, RemoveInputFilter, RemoveLanguage, RemoveOutputFilter, RemoveType, RequestHeader, Require, RewriteCond, RewriteRule, SSIEndTag, SSIErrorMsg, SSIStartTag, SSITimeFormat, SSIUndefinedEcho, Satisfy, ScoreBoardFile, Script, ScriptAlias, ScriptAliasMatch, ScriptInterpreterSource, ServerAdmin, ServerAlias, ServerName, ServerPath, ServerRoot, ServerSignature, ServerTokens, SetEnv, SetEnvIf, SetEnvIfNoCase, SetHandler, SetInputFilter, SetOutputFilter, Timeout, TypesConfig, UnsetEnv, UseCanonicalName, XBitHack, allow, deny, order, CGIMapExtension, EnableMMAP, ISAPIAppendLogToErrors, ISAPIAppendLogToQuery, ISAPICacheFile, ISAPIFakeAsync, ISAPILogNotSupported, ISAPIReadAheadBuffer, SSLLog, SSLLogLevel, MaxMemFree, ModMimeUsePathInfo, EnableSendfile, ProxyBadHeader, AllowEncodedSlashes, LimitInternalRecursion, EnableExceptionHook, TraceEnable, ProxyFtpDirCharset, AuthBasicAuthoritative, AuthBasicProvider, AuthDefaultAuthoritative, AuthDigestProvider, AuthLDAPAuthzEnabled, AuthLDAPBindDN, AuthLDAPBindPassword, AuthLDAPCharsetConfig, AuthLDAPCompareDNOnServer, AuthLDAPDereferenceAliases, AuthLDAPGroupAttribute, AuthLDAPGroupAttributeIsDN, AuthLDAPRemoteUserIsDN, AuthLDAPURL, AuthzDBMAuthoritative, AuthzDBMType, AuthzDefaultAuthoritative, AuthzGroupFileAuthoritative, AuthzLDAPAuthoritative, AuthzOwnerAuthoritative, AuthzUserAuthoritative, BalancerMember, DAVGenericLockDB, FilterChain, FilterDeclare, FilterProtocol, FilterProvider, FilterTrace, IdentityCheckTimeout, IndexStyleSheet, ProxyPassReverseCookieDomain, ProxyPassReverseCookiePath, ProxySet, ProxyStatus, ThreadStackSize, AcceptFilter, Protocol, AuthDBDUserPWQuery, AuthDBDUserRealmQuery, UseCanonicalPhysicalPort, CheckCaseOnly, AuthLDAPRemoteUserAttribute, ProxyPassMatch, SSIAccessEnable, Substitute, ProxyPassInterpolateEnv ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Htaccess Modules Here are most of the modules that come with Apache. Each one can have new commands that can be used in .htaccess file scopes. mod_actions, mod_alias, mod_asis, mod_auth_basic, mod_auth_digest, mod_authn_anon, mod_authn_dbd, mod_authn_dbm, mod_authn_default, mod_authn_file, mod_authz_dbm, mod_authz_default, mod_authz_groupfile, mod_authz_host, mod_authz_owner, mod_authz_user, mod_autoindex, mod_cache, mod_cern_meta, mod_cgi, mod_dav, mod_dav_fs, mod_dbd, mod_deflate, mod_dir, mod_disk_cache, mod_dumpio, mod_env, mod_expires, mod_ext_filter, mod_file_cache, mod_filter, mod_headers, mod_ident, mod_imagemap, mod_include, mod_info, mod_log_config, mod_log_forensic, mod_logio, mod_mem_cache, mod_mime, mod_mime_magic, mod_negotiation, mod_proxy, mod_proxy_ajp, mod_proxy_balancer, mod_proxy_connect, mod_proxy_ftp, mod_proxy_http, mod_rewrite, mod_setenvif, mod_speling, mod_ssl, mod_status, mod_substitute, mod_unique_id, mod_userdir, mod_usertrack, mod_version, mod_vhost_alias ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Here are some example snippets of htaccess files grabbed from various sites. <IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^$ webroot/ [L] RewriteRule (.*) webroot/$1 [L] </IfModule> <Limit GET POST PUT> Order Allow,Deny Deny from All </Limit> <IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^$ app/webroot/ [L] RewriteRule (.*) app/webroot/$1 [L] </IfModule> # # Apache/PHP/Drupal settings: # # Protect files and directories from prying eyes. Options +Indexes AddIcon /icons/compressed.gif .bz2 AddType image/svg+xml .svg AddType image/svg+xml .svgz AddType text/html .shtml AddHandler server-parsed .shtml .html #DirectoryIndex index.php index.html #Options +FollowSymLinks #Options -Indexes Options All -Indexes # The concept for this was taken from the Drupal project by D. Keith Casey Jr. - caseydk@use... # PHP 4, Apache 1 <IfModule mod_php4.c> php_value magic_quotes_gpc 0 Options Indexes XBitHack on <ifmodule mod_rewrite.c> RewriteEngine On RewriteRule ^user/(\w+)/(\w+)/(\w+) index.php?user=$1&w=$2&root=$3 [L,QSA] RewriteRule ^user/(\w+)/(\w+) index.php?user=$1&w=$2 [L,QSA] RewriteRule ^user/(\w+) index.php?user=$1 [L,QSA] Satisfy All Options -Indexes <Files ~ "^\."> order allow,deny # # Apache/PHP/Drupal settings: # #php_flag display_errors on #php_flag display_startup_errors on <Files "config.php"> Order Allow,Deny Deny from All </Files> <?php /** * Smarty plugin * @package Smarty * @subpackage plugins DirectoryIndex index.htm index.html index.php index.prc index.htpl <FilesMatch "\.(htpl|prc)$"> SetHandler htpl-script </FilesMatch> SetEnv APPLICATION_ENV development RewriteEngine On RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] <filesmatch "\.php$"> allow from all </filesmatch> #Uncomment the below to enable podcasting # # Apache/PHP/Drupal settings: # # Protect files and directories from prying eyes. AddDefaultCharset utf-8 # $Id: .htaccess,v 1.8 2004/11/03 18:21:16 rurban Exp $ <IfModule mod_php4.c> # For added security (and PhpWiki debugging purposes) you may want to <IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^$ webroot/ [L] RewriteRule (.*) webroot/$1 [L] </IfModule> <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^([0-9]+)$ index.cgi?id=$1 [L] RewriteRule ^(rss|atom)$ index.cgi?action=qotw&output=$1 [L] RewriteRule ^([a-z_]+)(/([a-z_]*))?$ index.cgi?action=$1&admin_action=$3 [L,QSA] More on Page 2. ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ « Advanced .htaccess Tricks for Securing Sites Password Protection Plugin Status » Pages: 1 2 3 Similar Reads * htaccess HTTPS / SSL Tips, Tricks, and Hacks * PHP htaccess tips and tricks * Rewrite underscores to hyphens for SEO URL * Manipulating HTTP Headers with htaccess * htaccess Tricks for Webmasters * SEO Redirects without mod_rewrite * WordPress RewriteRules Viewer * .htaccess mod_rewrite rewrite examples * Redirect index.php to root * Speed up your site with Caching and cache-control * 301 Redirect with mod_rewrite or RedirectMatch * Make phpBB SEO friendly with htaccess * Feed for this Entry * Trackback * htaccess https Tags: .htaccess examples, Apache, Cache, caching, Files, FilesMatch, Google, Hacking, howto, htaccess, htaccess guide, htaccess help, htaccess howto, htaccess rewrite, htaccess tricks, htaccess tutorial, httpd, litespeed, mod_rewrite, Mod_Security, rewritecond, rewriterule, sample .htaccess, Security, SEO, seo secrets, SetEnvIf, ssl, ultimate htaccess Youtube experiment.. just testing!.. 5 autostarting songs.. askapache AskApache on Twitter My Picks * THE Mod_Rewrite Cheatsheet * AskApache .bash_profile * Elite Log Viewing * THE Ultimate Htaccess * Intense Windows Speed * DNS: Round Robin Speed * Fsockopen: Nuts * Rsync and SSH ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ The love of liberty is the love of others; the love of power is the love of ourselves. -- William Hazlitt ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Related Articles * htaccess HTTPS / SSL Tips, Tricks, an * PHP htaccess tips and tricks * Rewrite underscores to hyphens for SE * Manipulating HTTP Headers with htacce * htaccess Tricks for Webmasters * SEO Redirects without mod_rewrite * WordPress RewriteRules Viewer * .htaccess mod_rewrite rewrite example * Redirect index.php to root * Speed up your site with Caching and c Newest Posts * 30x Faster WP-Super Cache and Site Speed with TMPFS * Tips and Tricks for a BASH Power Prompt * PortaPutty Auto-Reconnecting SSH Tunnels on an Encrypted TrueCrypt Portable USB Key w GPG ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Donate Please consider donating to support active development of the free software and articles here. Donate! Good Causes * Electronic Frontier Foundation * Help the GNU Project * Volunteer for Tor ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Skip to Comments Add Your Opinion Name _________________________ Email Address _________________________ Website URL _________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ say [_] Notify me of followup comments via e-mail Reader Comments 1. .htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog ~ [...] Then I went through each version and determined the compatible modules for that version, and I’m pretty confident that I was also able to find each and every directive allowed by the compatible modules for that version (including core directives). See .htaccess directive list. [...] 2. Advanced Htaccess – SSI, ErrorDocuments, DirectoryIndexing SEO ~ [...] containing the shtml files (typically in a section, but this directive is also valid in .htaccess files if AllowOverride Options is [...] 3. Paul Alexandru ~ Hi. Can anyone help me with a htaccess problem please? I want to redirect: www.domain.com/sub-domain/ to sub-domain.domain.com 4. Ben ~ This may seem like a very strange request, but i have know idea where to start in writing my htaccess file. When i installed my version of WP about 3 months ago, i was unable to find my htaccess file, and i have looked many time and never found it. Came to the conclusion that their wasnt one. Did i have to write one myself? Could you suggest some sites that give descriptions and code on how to effectively write a good secure htaccess file. I will continue to read through ur site which will def. give me some ideas Ben 5. Henry ~ Hi, Great page, but in your full .htaccess directives list you have included the following: + Directory + Location + ErrorLog I have found that in Apache 2.2 these directives are not allowed. 6. Bernhard ~ Very nice tutorial. Just one note: Since Apache 2.0.49 it’s possible to use wildcards for the mime type in ExpiresByType, see (search for PR#7991). I tested it with Apache 2.2.9 and it works fine. In my .htaccess I set the expiration time for all images with: ExpiresByType image/* A2592000 7. Jey Jey ~ Great resource, Thanks for sharing this great knowledge 8. Martin Shortpants ~ Probably not the best place to ask this, but don’t where else. Is there an htaccess comand(s) that would take ever call to any occurrence of wp-content\themes and make it read from \allthemes The idea is to get several wp installs on same server to use common directories for their themes and plugins. I have no success with ln -s symlinks but htaccess rewrites all seem fine. (p.s. my odd email addie is legit) 9. jay ~ help! i can rewrite URLs just fine, but none of the images/css/js works anymore! i just get a plain-html view of the new target page here is the .htaccess: RewriteEngine On RewriteBase / RewriteRule ^somedirectory/page17 /index.php?id=17 10. Sushant ~ This a really informative post. Directory Protection with .htaccess files was all that i wanted. Thank You 11. Sam Lavoie ~ I always found myself getting back to this .htaccess tutorial and guide. Definitly the best and most complete one! 12. Andy ~ I realize this might be an older post, but I need some serious help. I have Wordpress MU installed in my root directory and Moodle installed in a subdirectory. These are interfering with each other. I’m getting Internal Server Errors in the Moodle install. I’m pretty sure it can be fixed with some .htaccess scripting. There is not a .htaccess file in the Moodle directory. I copied the .htaccess from the root directory over to the Moodle directory, but it didn’t do anything. Here’s what’s in the root directory. Is it possible the php.ini is causing the errors? # Use PHP5 as default AddHandler application/x-httpd-php5s .php   RewriteEngine On RewriteBase /   #uploaded files RewriteRule ^(.*/)?files/$ index.php [L]   RewriteCond %{REQUEST_URI} !.*wp-content/plugins.* RewriteRule ^(.*/)?files/(.*) wp-content/blogs.php?file=$2 [L]   # add a trailing slash to /wp-admin RewriteCond %{REQUEST_URI} ^.*/wp-admin$ RewriteRule ^(.+)$ $1/ [R=301,L]   RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule . - [L]   RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L] RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L] RewriteRule . index.php [L]   SecFilterEngine Off SecFilterScanPOST Off 13. Mia ~ Your site is absolutely great! I have been working on this for a week and I finally understand this. I do not have a directory index and I haven’t figured out quite how to do this yet. My webhosting site is Linux based so the code has to be either in Perl or Python. I can access the .htaccess files but I can get past the first step of creating the path. Please help. Mia 14. Fiona Tighe ~ Hi there, Great article.. however I have a question, which I hope you don’t mind me asking. I have built a web application and I have built a marketing site. The app is built on the .com while the marketing is currently on the .ie. Anyhow, if somebody types domain.com I wish to redirect them to domain.ie Once on the .ie, a button brings them to domain.com/login. So I don’t wish to redirect everything… I have attempted the following Redirect /index.php http://www.domain.ie/index.php However, unfortunately when you click on the button, it has changed to domain.ie/login which does not exist…. Any help would be much appreciated. Regards and thanks, Fiona 15. Rob Scott ~ Very good, comprehensive guide to .htaccess! 16. Sortins Technologies ~ Thank you for share a great and useful resource. 17. tim ~ Awesome guide. I will point our users to this :) 18. Scott C ~ Great job putting this together, thank you. You solved all my questions. 19. Larry Asuncion ~ How to cloak a domain redirected to a folder from another hosting using .htaccess? 20. rif ~ A wonderful htaccess guide and very distinct 21. Monsieur Code Promo ~ Great idea… however got disapointed by the only example I tried (protecting whole wp-admin folder except for static files). Till now, I used to password protect whole wp-admin, which lead to some bad displays when a css from WP-admin is required (which is stupid, I thing) Tried the example to protect whole wp-admin folder but the result in not as expected (still can’t access any CSS file behind /wp-admin/ and authentification not working at all). Thus, I’m assuming that either ruleset is incorrect, or that there are some server specific stuff to take care off. Thanks anyway for this unique guide. Rgds 22. Joe Schmoe ~ How Do I Make a Htaccess File? You talked about how Creating a Htaccess File, (without Htaccess Software) would work in Windows Explorer.. But what program do you use? I love your Examples of Htaccess Files, this is the best Htaccess Tutorial, Htaccess Example, and resource IVe managed to find. 23. Rob ~ I’m having the same problem as Manasi. I don’t know enough to know what the .htaccess files allowed [200] error means or what to do about it. Either it’s something I can get my hosting provider to fix, fix myself, or bug my hosting provider into including the feature. But if I don’t know what to ask, I can’t ask. Tried finding this on Google, this is the page I got. Thanks in advance for any help, Rob 24. off1 ~ Thank you man, I’m looking forward to implement all this to improve my server’s security 25. Arvind ~ Thanks for the best tutorial all in one. that’s great. I have problem with two .htaccess If there are two different .htaccess file in two different directory, one that exists on root folder and other one exists in sub directory called htaccesssearch. I want to redirect website from non-www to www with 301 and I have added code root .htaccess file as following RewriteEngine on Options +FollowSymlinks Rewritecond %{http_host} ^baghel.in Rewriterule ^(.*)$ http://www.baghel.in/$1 [r=301,nc] This is working fine but if we access the /htaccesssearch/abc.html it is not redirect to /htaccesssearch/abc.html because there is another .htaccess in the htaccesssearch folder . if we add the above code another .htaccess which is exist in htaccesssearch then whole site is not working . Please suggest me what should I do ! Thanks in advance 26. Tom Mc Carrick ~ Hi Dave I found your site when I was researching a problem I have with broken permalinks on my blog. The article on .htaccess is excellent. Basically, some of my backlinks are pointing to posts and have the format “postname.html” and they are giving “not found” errors. I would like the requests for the .html links to be redirected to the “clean” permalinks I am now using (i.e. “postname”). Could you please explain how I can do this through .htaccess? Thanks Tom 27. Krit ~ Hi, I have non-www to www redirect code as follows : RewriteEngine On ##non-www to www RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ RewriteRule (.*) http://www.example.com/$1 [R=301,L] This works fine and redirects all non-www version of the url to its corresponding www version. However when I have a https://www.example.com/mypage.asp, it redirects the same to http://www.example.com/mypage.asp. How can I prevent urls beginning with https to be skipped by this re-write rule. 28. macc ~ Fantastic site! Thanks! Still as a newbee I need some help… I would much appreciate if you could help me (eager to donate…) Here is my .htaccess code: RewriteEngine On RewriteRule ^index.html$ index.php RewriteRule ^browse-(.*)-videos.html$ category.php?cat=$1 RewriteRule ^browse-(.*)-videos-([0-9]+)-(.*).html$ category.php?cat=$1&amp;page=$2&amp;sortby=$3 RewriteRule ^favorites.html(.*)$ favorites.php$1 RewriteRule ^favorites.html(.*)$ favorites.php$1 RewriteRule ^playlist/(.*)$ myfavorites.php?u=$1 RewriteRule ^memberlist.html(.*)$ memberlist.php$1 RewriteRule ^tags/([^/]+)/$ tag.php?t=$1&amp;page=1 RewriteRule ^tags/([^/]+)/page-([0-9]+)(/)?$ tag.php?t=$1&amp;page=$2 RewriteRule ^(.*)/(.*)-video_(.*).html$ musicvideo.php?vid=$3 RewriteRule ^rss.xml$ rss.php [L] I want to have wild-subdomains (yes I have root access!). I want the user’s site to looks like http://user.domain.com (yes I have root access to my server! and I have already installed wild-subdomains for my other site) Best Regards, Macc 29. nowal ~ I am having problem on my WP blog and it has something to do with the htaccess. I installed the plugin but was not able to figure out the problem. The site was working fine but recently I am getting tons of page not found As ?p=xx is being added at the end of existing URL’s. It has something to do with permalink? URL Rewrite? Any hint as I am clueless at the moment, will appreciate! 30. mobi ~ My question is, I want to change the location of URL, to display example.com/myhtaccess.html in .htaccess. Help me out 31. geo ~ Great htaccess things here askapache, keep up the Good Job ;) Thank you 32. Naysweb ~ Hi, I hope you can help me, I would like for anyone who types site (also have subdomain) without the “WWW” for it to add it. I really hope you can help, I tried before but it went in a big rewrite loop.. added lots of WWW’s. Thanks 33. Conor ~ Hi thanks for the great info on creating a .htaccess file. I just wanted to know, is it possible to use deny from all and at the same time allow php from the same server to write to the directory? Thanks 34. chaithu ~ Hi, It’s a very nice tutorial, but i have got a problem with apache authentication modules. I have written an apache authentication module and given the authentication type as basic. But, whenever a GET request is coming, my authentication module is being invoked and for each GET request, authentication is happening. But i wnt it to be authenticated only once. how can i solve this problem and is there any relation of this problem with .htaccess file 35. kay ~ Hello, Any idea about what can be wrong with a Drupal .htaccess file that make it impossible to use my own error.php file on Dreamhost PS? Dreamhost replied me that it must be because of the .htaccess file but that’s all. Thanks a lot! 36. JAiro Gelvez ~ Exelente tutorial, he resuelt un complejo problema de cache gracias a las infinitas alternativas de los .htaccess, en particular gracias al mod_rewrite del apache y en ello este blog me ha sido de muchisima ayuda. Gracias a todos Great tutorial, I have solved a complex problem because of the infinite cache of alternatives. Htaccess, particularly thanks to the Apache mod_rewrite and so this blog I have been extremely helpful. Thanks to all 37. Case Stevens ~ Hi, Great htaccess tutorial, learned a lot, but like Emi, I want to redirect an affiliate link like site1.com/x.php?action=alink&id=15&link=3 to site2.com/newproduct/ Is this possible using a rewrite rule? Thanks for any advice 38. Manasi ~ I am unsure if I am doing somethign wrong. I am hosted with Godaddy but when the checking script runs it displays some errors and I am unsure as to how to resolve them: Error 1 .htaccess Capabilities .htaccess files allowed [200] errors out and gives me: HTTP/1.1 500 Internal Server Error Date: Wed, 19 Nov 2008 15:59:46 GMT Server: Apache Connection: close Content-Type: text/html; charset=iso-8859-1 The others items in this list also turn yellow ( not red like the first one but also give the same error ) Second Error: HTTP Digest Authentication Bummer… you don’t have digest capabilities. Is this critically needed? Third error: Basic Authentication Encryption Algorithms Basic Authentication Attempt using Crypt Encryption Basic Authentication Attempt using MD5 Encryption Basic Authentication Attempt using SHA1 Encryption all three same error as above: HTTP/1.1 500 Internal Server Error Date: Wed, 19 Nov 2008 15:59:46 GMT Server: Apache Connection: close Content-Type: text/html; charset=iso-8859-1 What am I missing? 39. allQoo ~ It is the most comprehensive htaccess info page I ever read. Rich with lots of examples. Thumbs UP! 40. Paul ~ Our website has been illegally copied by a Chinese website, and as a result, when you type in our company name in Google, their illegal website shows up on the first spot but with a 100% copy of our content. What is a good way to block this Chinese website from our content? Can we use htaccess files to do this? 41. Wetter ~ Nice .htaccess article. It was very helpful for me. 42. htaccess redirect ~ Now this is a detailed guide on redirecting with the htaccess file… excellent! 43. mike w ~ It it possible to redirect a page when the url has spaces ie. example.com/htaccess file.html ? 44. Wilvic ~ I found your site about htaccess interesting and could help me from what I’m doing. I just have some question regarding htaccess. I need to edit a webpage that already has a ‘Contact Webpage’ which you can send some suggestion/comments. It seems like this is the place where the post is directed. I checked the directory _vti_bin/ but it didn’t have shtml.exe instead i found .htaccess file. I’m not very familiar about htaccess much. Can you please help me how did htaccess directed to shtml.exe. 45. John ~ Hey, I am using the following code for redirecting non www url to www url. Please let me know what code to add? Options +FollowSymLinks RewriteEngine On RewriteBase / RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L] It work fine for the folowing url type example.com/restaurant.html, If I have to redirect the following non www url to www url example.com/cms/restaurant.html. When I hit this url I get the following response: "The requested URL /index.php was not found on this server." Thanks, John 46. Rich Bowen ~ Now even more! Love it. .htaccess rewrite mask external link,htaccess mod rewrite error page,how much does mod rewrite,.htaccess dynamic directories,htaccess rewrite url,htaccess url,htaccess hide url,mod rewrite php to htm and htaccess rewrite rule options,rewrite direct index link htaccess,htaccess rewriterule,.htaccess mod_rewrite rules,convert unix timestamp into date php,php to .html with htaccess 47. htaccess rewrite ~ htaccess rewrite, htaccess mod rewrite, php url rewrite, .htaccess rewrite rule, .htaccess redirect post variables, mod rewrite htaccess, hotlink code, rewrite url .htaccess, htaccess allow indexes, htaccess tips tricks, .htaccess php require, .htaccess php.ini, rewrite htaccess, htaccess rewrite rule, .htaccess mod rewrite Hey your home page is a little out of control 48. Richard ~ This is very useful and powerful htaccess. It does help improve the security of my wordpress. I will keep an eye of the updates. 49. Raymond S. Usbal ~ Thanks for putting this up. This htaccess guide is complete and direct to the point. I like it! 50. Jill ~ After three frustrating phone calls to the idiots at 1&1 hosting, simply trying to help one of my clients get a redirect… I gave up and asked my website hosting company, DreamHost for help. Their article directed me to this site, which, solved the htaccess problem with my client’s site in a snap. Thank you so much for this! 51. Grafikafe ~ very nice .htaccess doc, thank you man. 52. AskApache ~ http://www.michiknows.com/2007/02/12/who-else-wants-to-hide-their-wordpress-admin-folder/ 53. htaccess ~ this does not seem to work ? AuthName "htaccess password prompt" AuthUserFile /home/askapache.com/.htpasswd AuthType Basic Require valid-user Allow from 172.17.10.1 Satisfy Any It lets me in from any ip address ? I’ve managed to get it to work like this (although may not be correct) AuthName "htaccess password prompt" AuthUserFile /home/askapache.com/.htpasswd AuthType Basic Satisfy Any   order deny,allow deny from all Require valid-user Allow from 172.17.10.1   I’m not sure if this is optimal however. 54. Joost ~ Great list, it helps clear up much of the htacess mystery and confusion that comes from creating such files. 55. Liam McDermott ~ Thanks for this article, it’s great. So great that we’ve made it ‘sticky‘ on The Webmaster Forums. Now we don’t have to repeat ourselves, just send people to this article! 56. tenstar ~ That’s perfect summary, very valuable for my next job of doing SEO friendly urls through htaccess. Thank you. * / + Contact + About + Hire/Freelance + Search + Site Map + Htaccess Search + cURL / libcurl + WireShark + Non-GNU + Tor Project * Topics + htaccess * Tools + .htpasswd Generator + Advanced HTTP Headers + DNS Tracer + JavaScript Compressor/Obfuscator + JavaScript Source Code Beautifier + CSS Compressor + Your Public Info + Request Method Scanner + Password Cracker + Base64 Image Converter + MAC Lookup Search ____________________ Submit It's very simple - you read the protocol and write the code. -Bill Joy HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C | TLDP | WAI | DISA | ICSI | GIAC | SANS RR | GHOST | DEFCON | NIST | DHS CYBER | NIST | Phrack | GDB | IEEE | GIT | GNU LIBC ↑ TOPExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link. This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. HTTPD based on NCSA HTTPd Site Map | Contact Webmaster | Email AskApache | Glossary | License and Disclaimer | Terms of Service