We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

htaccess file | Forum

Pete Sep 11 '12

For security, you should not upload the htpasswd file to a directory that is web accessible (yoursite.com/.htpasswd), it should be placed above your www root directory. You'll be specifying the location to it later on, so be sure you know where you put it. Also, this file, as with htaccess, should be uploaded as ASCII and not BINARY.

Create a new htaccess file and place the following code in it:

AuthUserFile /usr/local/you/safedir/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require user username
The first line is the full server path to your htpasswd file. If you have installed scripts on your server, you should be familiar with this. Please note that this is not a URL, this is a server path. Also note that if you place this htaccess file in your root directory, it will password protect your entire site, which probably isn't your exact goal.

The second to last line require user is where you enter the username of those who you want to have access to that portion of your site. Note that using this will allow only that specific user to be able to access that directory. This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user xxx with require valid-user.

The AuthName is the name of the area you want to access. It could anything, such as "EnterPassword". You can change the name of this 'realm' to whatever you want, within reason.

We are using AuthType Basic because we are using basic HTTP authentication.


Deny users by IP

Add the following to the .htaccess file:

<Limit GET> order allow,deny deny from 128.23.45. deny from allow from all </Limit>
This is an example of a .htaccess file that will block access to your site to anyone who is coming from any IP address beginning with 128.23.45 and from the specific IP address . By specifying only part of an IP address, and ending the partial IP address with a period, all sub-addresses coming from the specified IP address block will be blocked. You must use the IP addresses to block access, use of domain names is not supported. To deny all IP addresses from your site use:
<Limit GET> order allow,deny deny from all </Limit>


Change your default directory page

Some of you may be wondering what is DirectoryIndex? It is a command which allows you to specify a file that is to be loaded as your default page whenever a directory or url request comes in, that does not specify a specific page.

DirectoryIndex filename.html
This would cause filename.html to be treated as your default page, or default directory page. You can also append other filenames to it. You may want to have certain directories use a script as a default page.
DirectoryIndex filename.html index.cgi index.pl default.htm
Placing the above command in your htaccess file will cause this to happen:
When a user types in yoursite.com, your site will look for filename.html in your root directory (or any directory if you specify this in the global htaccess), and if it finds it, it will load that page as the default page. If it does not find filename.html, it will then look for index.cgi; if it finds that one, it will load it, if not, it will look for index.pl and the whole process repeats until it finds a file it can use. Basically, the list of files is read from left to right.


Prevent viewing of .htaccess file

If you use htaccess for password protection, then the location containing all of your password information is plainly available through the htaccess file. If you have set incorrect permissions or if your server is not as secure as it could be, a browser has the potential to view an htaccess file through a standard web interface and thus compromise your site/server. This, of course, would be a bad thing. However, it is possible to prevent an htaccess file from being viewed in this manner:

<FILES .htaccess> order allow,deny deny from all </FILES>


The first line specifies that the file named .htaccess is having this rule applied to it. You could use this for other purposes as well if you get creative enough. If you use this in your htaccess file, a person trying to see that file would get returned (under most server configurations) a 403 error code. You can also set permissions for your htaccess file via CHMOD, which would also prevent this from happening, as an added measure of security: 644 or RW-R--R--

Some people can hack into your htaccesse files useing cap letters,to prevent place -


<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all


inside your htaccesse file.



Ever go through the nightmare of changing significantly portions of your site, then having to deal with the problem of people finding their way from the old pages to the new? There are different ways of redirecting pages, through http-equiv, javascript or any of the server-side languages. You can do it through htaccess, which is probably the most effective, considering the minimal amount of work required to do it.

Htaccess uses redirect to look for any request for a specific page and if it finds that request, it forwards it to a new page you have specified:

Redirect /olddirectory/oldfile.html http://yoursite.com/newdirectory/newfile.html
Note that there are 3 parts to that, which should all be on one line.

The redirect command.
The location of the file/directory you want redirected relative to the root of your site (/olddirectory/oldfile.html = yoursite.com/olddirectory/oldfile.html) The full URL of the location you want that request sent to.

Each of the 3 is separated by a single space, but all on one line. You can also redirect an entire directory by simple using:

Redirect /olddirectory/ http://yoursite.com/newdirectory/
Using this method, you can redirect any number of pages no matter what you do to your directory structure. It is the fastest method as a global affect.


Adding MIME Types

What are MIME Types?

MIME stands for Multipurpose Internet Mail Extensions. It extends the power of web browsers to handle graphics, sound and multimedia. MIME is also used for binary email attachments. Browsers recognize MIME types in categories and file types, separated by a slash (such as image/gif). If you've registered a MIME type, the browser decodes the file and launches a helper application. What if your server wasn't set up to deliver certain file types properly? A common occurrence with MP3 or even SWF files. Simple enough to fix with htaccess:

To do this you must first understand the three parts of adding a MIMI type. The first part is the AddType. This tells the server that you are adding a MIME type. Second is the application string. This is the actual parameter of the MIME you are adding (the MIME type). The final part is the default extension for the MIME type you want to add.

AddType mime-type .ext

Save the .htaccess file and store all ext files in the same directory. Then, all files in the directory that end in .ext (those extensions you have added) will be mapped into mime-type and handled properly by the server. Please note that you must include a period (.) before the extension. You can list several extensions separated by blanks. For example, if you wanted to store and serve Lotus 1-2-3 files with the extensions wks, wk1, wk2, wk3, and wk4, you should type:

AddType application/lotus123 .wks .wk1 .wk2 .wk3 .wk4
By the way, here's a neat little trick that few know about. To force a file to be downloaded, via the Save As browser feature, you can simply set a MIME type to application/octet-stream and that immediately prompts you for the download.


Preventing hot linking of images

In the webmaster community, "hot linking" is a curse phrase. Also known as "bandwidth stealing". It refers to linking directly to non-html objects not on one own's server, such as images, .js files etc. The victim's server in this case is robbed of bandwidth (and in turn money) as the violator enjoys showing content without having to pay for its deliverance. The most common practice of hot linking pertains to another site's images.

In the webmaster community, "hot linking" is a curse phrase. Also known as "bandwidth stealing". It refers to linking directly to non-html objects not on one own's server, such as images, .js files etc. The victim's server in this case is robbed of bandwidth (and in turn money) as the violator enjoys showing content without having to pay for its deliverance. The most common practice of hot linking pertains to another site's images.

The best way to stop hot linking is to have your images be placed in a seperate folder (not the same folder as html files) and put a .htaccess file in it.

Copy this text below, make the changes to show your domain info, and paste it into notepad. Name this file .htaccess and place in in all your images folders. Be sure to upload in ASCII mode or the .htaccess file will not work.

RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ - [F]
Be sure to replace "mydomain.com" with your own. The above code causes a broken image to be displayed when its hot linked. You can have an image display for those who try to hot link. You can have an image of your choice be displayed for those attempting to steal bandwidth. The code for this is:
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.mydomain.com/notallowed.gif [R,L]
The first line tells Apache to turn on the MOD Rewite.
The next two lines you change to your address (either with, and without the as well as your IP).
The last line is where you would like the link from the site trying to download from their pages to be redirected. This way if some one links directly to your "coolpicture.jpg" from their website, instead of seeing your cool picture the user will see a picture that you decide to show. Make the picture be something the user will not want to see and get the message across that he is a bandwidth stealer. After the user sees that the "hot linking" isn't working, the user will change his links.

In order to have it work for you:
replace mydomain.com with your own domain
replace the notallowed.gif with the image you want them to see.

The Forum post is edited by Pete Sep 12 '12