.htaccess is a configuration file for use on web servers running the Apache Web Server software. When an htaccess file is placed in a directory which is in turn ‘loaded via the Apache Web Server’, then the htaccess file is detected and executed by the Apache Web Server software. This htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.

Basic Usages of a .htaccess file:

 

Redirects

 

Redirects enable us to direct web site visitors from one document within your web site to another. This is useful for example, if you have moved your web site content and would like to redirect visitors from old links to the new content location.

To set-up redirects, create an htaccess file following the main instructions and guidance which includes the following text:
[code]Redirect /old_dir/ http://www.yourdomain.com/new_dir/index.html[/code]
The above line tells the Apache Web Server that if a visitor requests a documents located in the directory ‘old_dir’, then to display the document ‘index.html’ located in the directory ‘new_dir’.

Error documents

 

Creating custom error pages is very useful, it allows you to show web site visitors a friendly error message, for instance if a URL on your web site does not work. This avoids the unfriendly ‘404 File Not Found’ error and allows you to display a friendly error, explaining possible solutions and guiding the visitor back into your web site content, rather than leaving them frustrated and lost.

To set-up custom error documents, create a .htaccess file following the main instructions and guidance which includes the following text:

[code]ErrorDocument 404 /error_pages/404.html[/code]

The above line tells the Apache Web Server to display the document located at /error_pages/404.html (under your domain name/web site address) whenever a 404 (file not found) error occurs.

In this example, we have assumed you have created the error document and called it ‘404.html’ and that you have placed it in a directory called ‘error_pages’ under your domain name. For example, http://www.yourdomain.com/error_pages/404.html

The document 404.html is a normal HTML document like the others in your web site and can display whatever content you wish, however we recommend including a ‘File Not Found’ message.

To setup further error documents, for example for ‘401 Unauthorised’, ‘403 Forbidden’, and ‘500 Internal Server’ error messages, create a (dot)htaccess file following the main instructions and guidance which includes the following text:

[code]
ErrorDocument 401 /error_pages/401.html
ErrorDocument 404 /error_pages/404.html
ErrorDocument 500 /error_pages/500.html
[/code]

Password protection

 

The password protection and authentication systems offered by the Apache Web Server are probably the most important use of .htaccess files. Very easily, we can password protect a directory (or multiple) of a web site which require a username and password to access. The login procedure for these secure directories is handled automatically by the web browser using a pop-up login interface (you’ve probably seen these before). Passwords are also encrypted using one of the best encryption methods available which ensures login credentials are kept secure.

To begin, decide which directory you would like to password protect (note that all files and subdirectories within the directory will be password protected), then create an .htaccess file following the main instructions and guidance which includes the following text:

[code]AuthName “Member’s Area Name”
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
Require valid-user[/code]

The first line tells the Apache Web Server the secure directory is called ‘Member’s Area Name’, this will be displayed when the pop-up login prompt appears. The second line specifies the location of the password file. The third line specifies the authentication type, in this example we are using ‘Basic’ because we are using basic HTTP authentication and finally the fourth line specifies that we require valid login credentials, this line can also be used to specify a specific username, e.g. ‘require user username’ would require the username ‘username’. You would use this if you were password protecting an administration area, rather than setting up a public password protected directory.

The location of the password file can be anywhere on your web server, the ‘/location/of/password/file/’ must be replaced with the full/absolute path to the directory containing the password file, and the ‘.htpasswd’ file must exist, this can however be called anything. We use the filename ‘.htpasswd’ because the server will recognise the filename and will hide it from visitors. Note, some servers do require the password file be located in the same directory as the .htaccess file. It is also important to use a full/absolute server path for the location of the password file, a relative path, or any variation of a URL will not work.

The password file would contain something similar to the following text:
[code]username:encryptedpassword
fred_smith:oCF9Pam/MXJg2[/code]

Now, you cannot just make up the password, on Unix/Linux servers they must be encrypted by the server, on Windows servers you do just use a plain text password as Windows does not offer any encryption methods. You can have any number of user records in your password file, one account per row, separating the username and password with a colon. If you don’t have the Server access, please ask your Service provider to enable this feature. Please control Panel has this inbuilt feature.

Deny visitors by IP address

The visitor blocking facilities offered by the Apache Web Server enable us to deny access to specific visitors, or allow access to specific visitors. This is extremely useful for blocking unwanted visitors, or to only allow the web site owner access to certain sections of the web site, such as an administration area.

To set-up visitors restrictions and blocking, create a .htaccess file following the main instructions and guidance which includes the following text:

[code]order allow,deny
deny from 255.0.0.0
deny from 123.45.6.
allow from all[/code]

The above lines tell the Apache Web Server to block visitors from the IP address ‘255.0.0.0’ and ‘123.45.6.’, note the second IP address is missing the fourth set of digits, this means any IP address which matches the firth three set of digits will be blocked, e.g. ‘123.45.6.10’ and ‘123.45.6.255’ would be blocked.

To set-up blocking of all visitors except yourself, create a .htaccess file following the main instructions and guidance which includes the following text:

[code]order allow,deny
allow from 255.0.0.0
deny from all[/code]

The above lines tell the Apache Web Server to block all visitors except those with the IP address ‘255.0.0.0’, which you should replace with your own IP address.

You may add any number of ‘deny from’ and ‘allow from’ records after the ‘order allow,deny’. Note the change from ‘allow from all’ to ‘deny from all’ on the bottom line, this is important and must be changed depending on your requirements. If you want to allow your visitor access, you would use ‘allow from all’ and place ‘deny from’ lines above.

Blocked visitors will be shown a ‘403 Forbidden’ error message.

Hot link prevention techniques

Hot link prevention refers to stopping web sites that are not your own from displaying your files or content, e.g. stopping visitors from other web sites. This is most commonly used to prevent other web sites from displaying your images but it can be used to prevent people using your JavaScript or CSS (cascading style sheet) files. The problem with hot linking is it uses your bandwidth, which in turn costs money, hot linking is often referred to as ‘bandwidth theft’.

Using htaccess we can prevent other web sites from sourcing your content, and can even display different content in turn. For example, it is common to display what is referred to as an ‘angry man’ images instead of the desired images.

Note, this functionality requires that ‘mod_rewrite’ is enabled on your server. Due to the demands that can be placed on system resources, it is unlikely it is enabled so be sure to check with your system administrator or web hosting company.

To set-up hot link prevention for ‘.gif’, ‘.jpg’ and ‘.css’ files, create a (dot)htaccess file following the main instructions and guidance which includes the following text:

[code]RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC]
RewriteRule .(gif|jpg|css)$ – [F][/code]

The above lines tell the Apache Web Server to block all links to ‘.gif’, ‘.jpg’ and ‘.css’ files which are not from the domain name ‘http://www.yourdomain.com/’. Before uploading your htaccess file ensure you replace ‘yourdomain.com’ with the appropriate web site address.

To set-up hot link prevention for ‘.gif’, ‘.jpg’ files which displays alternate content (such as an angry man image), create a (dot)htaccess file following the main instructions and guidance which includes the following text:

[code]RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC]
RewriteRule .(gif|jpg)$ http://www.yourdomain.com/hotlink.jpg [R,L][/code]

The above lines tell the Apache Web Server to block all links to ‘.gif’ and ‘.jpg’ files which are not from the domain name ‘http://www.yourdomain.com/’ and to display the file ‘http://www.yourdomain.com/hotlink.jpg’ instead. Before uploading your (dot)htaccess file ensure you replace ‘yourdomain.com’ with the appropriate web site address.

These are the general features of htaccess file; you can find more information from your Website developer and Server Administrator.