What is .htaccess and how is it being used?

An .htaccess file is a simple ASCII file similar to that created through text editor such as Notepad or Simple Text. Most people are confused with the naming convention for the file. The term .htaccess is not a file .htaccess or somepage.htaccess because it is the file extension simply named as such. Its widely known use is related to implementing custom error page or password protected directories.

Creating the File

The creation of the file is done by opening up a text editor and saving an empty page as .htaccess. If it is not allowed to save an empty page, simply type in one character. An editor probably appends its default file extension to the name. Notepad for one would call the file .htaccess.txt but the .txt or other file extension need to be removed to enable the user to start “htaccessing”. This can be done by clicking the file and renaming it by removing anything that doesn’t say .htaccess. It can also be renamed via telnet or the ftp program.

These files must not be uploaded as binary but rather as ASCII mode. Users can CHMOP the .htaccess file to 644 to make the file usable by the server while preventing it from being read by a browser since this can seriously compromise security. When there are passwords protected directories and a browser can read the .htaccess file, the location of the authentication file can be acquired to reverse engineer the list and thereby completely access any portion that had previously been protected. This can be prevented by either placing all authentication files above root directory thereby rendering the www inaccessible or through an .htaccess series of commands that prevents itself from being accessed by a browser.

Most commands in .htaccess are meant to be placed on one line only thus if a text editor uses word wrap, it should be disabled as it is possible that it might throw in a few characters that might contradict Apache. .htaccess is not for NT servers and is considered an Apache thing. Apache is generally very tolerant of malformed content in an .htaccess file.

The directory in which .htaccess file is placed is “affected” as well as all sub-directories. It a user wishes not to have certain .htaccess commands affect a specific directory, this is done by placing a new .htaccess file within the directory that should not be affected with certain changes and removing the specific command/s. from the new .htaccess file which should not affect the directory. The nearest .htaccess file to the current directory is the one considered as the .htaccess file. A global .htaccess located in the root, if considered the nearest, affects every single directory in the entire site.

Placement of .htaccess should not be done indiscriminately as this may result to redundancy and may cause an infinite loop of redirects or errors. There are sites that do not allow the use of .htaccess files because a server overloaded with domains can be slowed down when all are using .htaccess files. It is possible that .htaccess can compromise a server configuration specifically set-up by the administrator. It is therefore necessary to make sure that the use of .htaccess is allowed before its actual use.

Error documents are only a part of the general use of .htaccess. Specifying one’s own customized error documents will require a command within the .htaccess file. The pages can be named anything and can be placed anywhere within the site as long as they are web-accessible through a URL. The best names are those that would prevent the user from forgetting what the page is being used for.

Password protection is effectively dealt with by .htaccess. By creating a file called .htpasswd, username and the encrypted password of the people to be allowed access are placed in the .htpasswd file. The .htpasswd file should likewise be not uploaded to a directory that is web accessible for maximum security.

Whole directories of a site can be redirected using the .htaccess file without the need to specify each file. Thus any request made for an old site will be redirected to the new site, with the extra information in the URL added on. This is a very powerful feature when used correctly.

Aside from custom error pages, password protecting folders and automatic redirection of users, .htaccess is also capable of changing file extension, banning users with extra certain IP address allowing only users with certain IP addresses, stopping directory listing and using a different file as the index file. Accessing a site that has been protected by .htaccess will require a browser to pop-up a standard username/password display box. However, there are certain scripts available which will allow the user to embed a username/password box in a website to do the authentication. The wide variety of uses of .htaccess facilitates time saving options and increased security in a website.

Many hosts support .htaccess but do not publicize it while many others have the capability for it but do not allow their users to have an .htaccess file. Generally, a server that runs UNIX or any version of the Apache web server will support .htaccess although the host may not allow its use.

When to Use .htaccess Files

The .htaccess files should not be used when there is no access to the main server configuration file. Contrary to common belief, user authentication is not always done in .htaccess files. The preferred way is to put user authentication configuration in the main server configuration.

It should be used in situations where the content provider needs to make configuration changes to the server on a per-directory basis but does not have root access on the server system. Individual users can be permitted to make these changes in .htaccess files for themselves if the server administrator is unwilling to make frequent configuration. As a general rule, the use of .htaccess should be avoided when possible since configuration can be effectively made in a Directory Section in the main server configuration file.

Two main factors warrant avoiding the use of .htaccess files – performance and security. Permitting .htaccess files causes a performance hit whether or not it is actually used, since Apache will look in every directory for such file. The .htaccess file is also looked into every time a document is requested. The Apache search will include .htaccess files in all higher-level directories to have a full complement of directories of application. As such, each file accessed out of the directory results to 4 additional file system accesses even if none was originally present.

The use of .htaccess permits users to modify server configuration which may produce uncontrolled changes. This privilege should be carefully considered before it is given to users. The use of the .htaccess files can be completely disabled by setting the Allow Overide directive to none.

Here  is few examples of .htaccess

Custom Error Pages

The first use of the .htaccess file which I will cover is custom error pages. These will allow you to have your own, personal error pages (for example when a file is not found) instead of using your host’s error pages or having no page. This will make your site seem much more professional in the unlikely event of an error. It will also allow you to create scripts to notify you if there is an error (for example I use a PHP script on Free Webmaster Help to automatically e-mail me when a page is not found).

You can use custom error pages for any error as long as you know its number (like 404 for page not found) by adding the following to your .htaccess file:

ErrorDocument errornumber /file.html

For example if I had the file notfound.html in the root direct
ory of my site and I wanted to use it for a 404 error I would use:

ErrorDocument 404 /notfound.html

If the file is not in the root directory of your site, you just need to put the path to it:

ErrorDocument 500 /errorpages/500.html

These are some of the most common errors:

401 – Authorization Required
400 – Bad request
403 – Forbidden
500 – Internal Server Error
404 – Wrong page

example :

ErrorDocument 404 http://htaccess.net.ru/error/404.htm

ErrorDocument 403 http://htaccess.net.ru/error/403.htm

ErrorDocument 400 http://htaccess.net.ru/error/400.htm

ErrorDocument 500 http://htaccess.net.ru/error/500.htm

Redirect non-https requests to https server fixing double-login problem and ensuring that htpasswd authorization can only be entered using HTTPS
Additional https/ssl information and Apache SSL in htaccess examples

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "google.com"
ErrorDocument 403 https://google.com
Redirecting YourSite.com to www.YourSite.com
If search engines find both www and non-www links from other sites to your site, they may treat http://YourSite.com and http://www.YourSite.com as two different websites with the same content. This means that your site can be penalized for duplicate content.

Many experts recommend to set up a 301 redirect (permanent redirect) from YourSite.com to www.YourSite.com…

RewriteEngine On
RewriteCond %{HTTP_HOST} ^YourSite\.com [nc]
RewriteRule (.*) http://www.YourSite.com/$1 [R=301,L]

Replace “YourSite.com” with your real domain name.
Preventing directory listing
Typically servers are setup to prevent directory listing, but often they aren’t. If you have a directory full of downloads or images that you don’t want people to be able to browse through, add the following line to your .htaccess file…

IndexIgnore *

The * matches all files. If, for example, you want to prevent only listing of images, use…

IndexIgnore *.gif *.jpg
Protecting your bandwidth
“Bandwidth stealing,” also known as “hot linking,” is linking directly to non-html objects on another server, such as images, electronic books etc. The most common practice of hot linking pertains to another site’s images.

To disallow hot linking on your server, create the following .htaccess file and upload it to the folder that contains the images you wish to protect…

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YourSite\.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ – [F]

Replace “YourSite.com” with your own. The above code causes a broken image to be displayed when it’s hot linked. If you’d like to display an alternate image in place of the hot linked one, replace the last line with…

RewriteRule \.(gif|jpg)$ http://www.YourSite.com/stop.gif [R,L]

Replace “YourSite.com” and stop.gif with your real names.

Then, all you need to do is to create a file to display when the error happens and upload it and the .htaccess file.