Suppose you want to customize the configuration of your web server and you don’t have access to the global configuration file. In that case you are stuck with developing your great web app. Well there is a solution to that i.e., using .htaccess file. In this post we will talk about pros, cons, features, usage and writing .htaccess files.
There are many web servers which support .htaccess file configuration. But the most popular one is Apache HTTP web server. Every information in this post is valid for Apache HTTP web server and next to valid for other web servers.
Web Server Configuration Files
There are two types of files which can be used to customize the configuration of web server. The first one is Global configuration file, main configuration file, Centralized configuration file or httpd.conf (name in Apache server) and the second one is Directory level configuration file or Decentralized configuration file or .htaccess file.
The location of httpd.conf file is decided before compilation of web server and it resides outside the web tree And the location of .htaccess is in the web tree.
.htaccess configuration file
Its a hidden file(name starts with a dot) which resides in web tree and can be used to configure web server on a per-directory basics.
A .htaccess file containing configuration directives is placed in a particular web directory and the web server applies those directives to that directory and also all subdirectories.
Suppose you requested the URL “http://qnimate.com/blogs/my-first-blog/” and you have the blogs folder inside the root folder. But there is no such folder as my-first-blog then web server loads the .htaccess files from root folder and blogs folder. Then first executes the .htaccess file inside blogs folder and then the .htaccess file inside the root folder.
When to use .htaccess file?
Use .htaccess only when you don’t have access to httpd.conf file or don’t have access to server system. Everything that is achieved using .htaccess file can be achieved using httpd.conf but everything that can be achieved using httpd.conf cannot be achieved using .htaccess.
Pros and Cons of .htaccess file
The pros of using .htaccess file is that the change in configuration made in this files take effect immediately while change in configuration made in httpd.cong takes effect after server restart. And if the web server is hosting multiple sites then its a good practice to use .htaccess as this will allow users to change their site configuration without effect other users web sites configuration.
The cons of using .htaccess is that it causes performance loss as it needs to be accessed every time along with parent .htaccess files for every HTTP request And allowing users to configure server can cause security problems if configuration is not set properly.
Configuration directives
Directives are like commands recognized by web server and are put inside configuration files(.htaccess or httpd.conf). They look like key-value pairs. They are used to customize server configurations. Complete reference to all directives can be found here.
Checking if .htaccess is enabled
Before we proceed with look at different customization’s, directives and examples lets make sure that .htaccess usage is enabled.
We can check if .htaccess file is enabled or not by simply making use of it. It it works then its enabled otherwise not.
Inside your web root directory put the following files:
index.html
indexbackup.html
.htaccess
# "index.html"
DirectoryIndex indexbackup.html index.html
Now go to your browser and type your domain name and you should see the indexbackup.html file loading. If this doesn’t then look at the below section to enable it.
Enabling use of .htaccess
.htaccess usage is enabled by default. httpd.conf has control over enabling and disabling use of .htaccess file. So if its not enabled then you can find the “AllowOverride” directive inside the httpd.conf file and change its value to “All”. Note that you will find this directive in several directory sections inside the file, you need to modify the one which points to the location of the server root directory.
<Directory "/path/to/web/root/dir">
AllowOverride All
</Directory>
This is the only method to enable and requires access to root file system. If you don’t have access then you can contact your hosting service provider.
“AllowOverride” directive can have several other values. Values for this directive represent the configurations that can be overwritten. Other values are:
- AuthConfig: Allows use of authorization directives.
- Indexes – Allows directory listing customization’s.
- FileInfo – Allows directives that deal with setting Headers, Error Documents, Cookies, URL Rewriting, and more.
- Limit – Allows directives to control access to pages in a number of different ways.
- Options – Allows similar access to Indexes but includes even more values such as ExecCGI, FollowSymLinks, Includes and more.
Possible configurations using .htaccess
There are a lot of configurations which can customized using .htaccess file but some common ones are authorization, authentication, rewriting URLs, blocking, SSI, directory listing, customized error responses, MIME types, cache control etc. Now we will look at some most common and important directives used.
Authorization and Authentication using .htaccess
In this example we will look at protecting a directory using username and password. Put the following files in the directory which you want to protect.
.htaccess
AuthName "Password Protected Directory"
AuthUserFile /path/to/.htpasswd
Require valid-user
.htpasswd
#narayanprusty:qnimate
narayanprusty:$apr1$MrOput2Q$AZpBTZOJ4m7HToP1h7K6V1
Here you need to remember two things. Your path to .htpasswd needs to be a full file system path not web path. You can find the file system path of your folder by echoing out phpinfo() function (find the CONTEXT_DOCUMENT_ROOT variable) in a script in that folder. And your password in .htpasswd file needs to be hashed using MD5 algorithm.
This is an another example in which we will be protecting a file instead of full directory.
secretnotes.txt
.htaccess
AuthName "secretnotes.txt"
AuthUserFile /path/to/.htpasswd
#<Files> is a section which limits the directive effect to a particular file.
<Files "secretnotes.txt">
Require valid-user
</Files>
.htpasswd
This is an another example in which we will completely disallow access to a file.
secretnotes.txt
.htaccess
Deny from all
</Files>
Similarly there are many more directives available for authorization and authentication.
Rewriting and Redirecting URLs using .htaccess
In this example we will redirect all requests for www.qnimate.com to qnimate.com.
Put this file in the root web directory.
.htaccess
RewriteCond %{HTTP_HOST} ^www.qnimate.com #this condition checks if host is www.qnimate.com
Redirect 301 / http://qnimate.com/ #if above directive is true then this directive executes.
Whenever web server sees Redirect directive, it stops execution and sends redirect response to the client.
This is an another example in which we will rewrite an URL internally which will change http://qnimate.com/song/12332123 to http://qnimate.com/?song=12332123. This is done for SEO purposes because Google doesn’t like query strings in URLs. Put this file in the root directory.
.htaccess
RewriteRule ^song/(.+)$ index.php?song=$1 [L,QSA]
RewriteRule directive takes first value as a regexp. If the regexp matches then URL is rewritten internally. And after finishing of .htaccess execution the new URL path is followed and .htaccess files for that path is executed i.e., a new HTTP request is formed internally for that new URL produced by rewrite directive.
Here we provides the L flag which means that don’t let any other directive to rewrite the URL. We can provide R flag which asks web server to send a redirect response to HTTP client for the new modified URL and stop execution.
Similarly there are many more directives for rewriting and redirecting URLs.
Enabling Server Side Includes (SSI) using .htaccess
Server side includes are enabled by default. But you need to use file extensions like .shtml, .stm, .shtm etc. Server side include can be enabled for .html or .htm by using .htaccess file.
In this example we enabled server side includes for .html files. Put this files in root directory.
.htaccess
Similarly you can customize SSI further using directives.
Custom Error Pages using .htacces
Whenever errors like 400, 401, 403, 404 or 500 occurs a default error page is returned to the browser. But we can customize server configurations using .htacces file to display our custom error pages.
In this example we will be configuring web server to use custom error pages for five common errors. Place this file in the root directory
.htaccess
ErrorDocument 401 401.html
ErrorDocument 403 403.html
ErrorDocument 404 404.html
ErrorDocument 500 500.html
There are a lot of things that can be done for customizing error responses.
HTTP Cache Control using .htaccess
Using .htaccess we can control the Expires HTTP header and Cache-Control HTTP header.
For cache control to work you need to enable mod_expires and mod_headers module.
Let’s see a example of cache control using .htaccess.
.htaccess
ExpiresDefault A600 #sets default expiry time 10 minutes for all kinds of file.
ExpiresByType image/gif A2592000 #all gif files in this directory have expiry time 1 month
You can customize error pages to much more extent.
Control Directory Listing using .htaccess
If index file is not present in a directory then web server displays list of all files in that directory when that directory is pointed using web browser.
we can customize this configuration using .htaccess file. Place these files in the directory whose listing needs to be customized.
In this example we will enable directory listing.
.htaccess
This is an another example in which we will disable directory listing.
.htaccess
This is an another example in which we will change directory listing style.
.htaccess
This is an another example in which we will ignore files with specific extension from being listed
.htaccess
This is an another example in which we will modify index file. So that web server will display this file when pointed to directory.
.htaccess
There are many more things you can do to directory listing.
Blocking using .htaccess
We can block IP address, referrers, bots and rippers using .htaccess file.
In this example we will block some IP address from accessing our site. Put this files in root directory.
.htaccess
Deny from 125.67.34.67 #block this IP
Deny from 122.34.67. #block IP address from 122.34.67.0 to 122.34.67.255
This is an another example in which we will block users visiting our site from google.com and yahoo.com
.htaccess
RewriteCond %{HTTP_REFERER} google\.com [NC,OR] #condition directive
RewriteCond %{HTTP_REFERER} yahoo\.com
ReWriteRule .* - [F] #matches so display forbidden error
This is an another example in which we will block wget and NetSpider bots from accessing our side.
.htaccess
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule ^.* - [F,L]
You can do a lot of other blockings using .htaccess.
Adding MIME Types using .htaccess
Web servers are already configured to handle and produce MIME of certain common file types like .html, .txt, .xml etc.
Its important for a browser to look at the MIME header of the HTTP response so that it can interpret it properly. Web server also looks for MIME of files in configuration file before deciding how to interpret it.
We can add or customize MIME for different file extensions using .htaccess.
In this example we will change MIME of mp3 file so that browser will download the file instead of playing it. It can be done by changing audio/mpeg MIME to application/octet-stream.
.htaccess
AddType application/octet-stream .mp3
This is an another example in which web server will interpret .qnimate files as .html file.
.htaccess
AddType text/html .qnimate
Changing charset using .htaccess
Character set of a file is very important for a web server and browser. web server and browser look at the charset of a file before interpreting it.
Its important for a browser to look at the Content-Type header for charset value so that it knows how many bytes constitute a character and also how to display the characters. Similarly its important for a web server to look at the charset of a file in configuration file before interpreting it. In case charset is not provided then browser and server take default value of UTF-8.
In this example we set character set of .css and .js files as ISO-8859-1 and .html And charset of all other files as UTF-8
.htaccess
AddCharset ISO-8859-1 .css .js
Conclusion
We saw how we can overwrite configurations made my httpd.conf which decentralizes web server configuration. And we also saw some common use of .htaccess file with code examples. There are a lot of other things that can be done use .htaccess file. “Like and Share”
@narayanprusty
Leave a Reply