Online .htpasswd Generator
Use the following .htpasswd generator to secure your Apache web directories.
Make sure you have a .htaccess and .htpasswd file in the directory you want to secure, then add the entries once you’ve generated your password.
Use the following .htpasswd generator to secure your Apache web directories.
Make sure you have a .htaccess and .htpasswd file in the directory you want to secure, then add the entries once you’ve generated your password.
Creating custom documents gives your site a more professional look, as not only are you providing a ‘net’ to catch unsuspecting visitors when they follow a bad link and such like, but they also allow you to customise the style of the page so you can maintain your basic site design by adding HTML.
# custom error documents ErrorDocument 401 /error/401.php ErrorDocument 403 /error/403.php ErrorDocument 404 /error/404.php ErrorDocument 500 /error/500.php
Being able to control access to certain areas of your server can be very useful. The following example demonstrates how to only allow access from those connecting from a 192.168.0 LAN IP pool. This could be easily modified to only allow access from a single remote IP address or addresses.
# no nasty crackers in here! order deny,allow deny from all allow from 192.168.0.0/24 # this would do the same thing.. #allow from 192.168.0
Hiding and denying access to files is crucial to servers that have sensitive data held within files that may be accessible via the website(s) on it. The following example demonstrates how to prevent acces to any files ending with .log – and is case insensitive (i.e. .LoG / .lOG / .loG).
Order allow,deny Deny from all Satisfy All
I have written a mod_rewrite tutorial, but this is worth a mention as a top 10 tip for .htaccess files as it’s becoming more and more commonly used these days – primarily for SEO purposes.
This example will redirect a request for http://edrackham.com/page_one.htm to http://edrackham.com/page_one.php. The r=301 tells apache to send a proper HTTP Permanently Moved redirection (301), which will update the address bar in the browser window to show ‘page_one.php’. Without this, you’d still see ‘page_one.htm’ even though you’re seeing a PHP page. This helps SEO, as spiders and search engines will update their listings to reflect the PHP versions.
Options +FollowSymlinks RewriteEngine on RewriteRule ^(.+)\.htm$ http://edrackham.com/$1.php [r=301,nc]
Shorter URLs are beneficial, as visitors that persist in typing full URLs won’t have to type as much, and they’re more memorable. Do they benefit SEO, even though the full URL contains the same keywords? I don’t know, maybe someone can tell me.
This example will rewrite a page requested as http://edrackham.com/files/code/apache.zip to http://edrackham.com/download.php?type=code&file=apache.
Options +FollowSymlinks RewriteEngine on RewriteRule ^files/(.+)/(.+).zip download.php?type=$1&file=$2 [nc]
Preventing hotlinking can reduce bandwidth, by disallowing other websites from displaying images hosted on your server. The following rule basically says that if the referer is NOT edrackham.com, run the following rule. The rule (on the next line) says that if the request is for a .gif, .jpg or.png then redirect the visitor to http://edrackham.com/img/hotlink_f_o.png. I’ll leave you to work out what the ‘f_o’ stands for.
Options +FollowSymlinks
# no hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?edrackham\.com/ [nc]
RewriteRule .*\.(gif|jpg|png)$ http://edrackham.com/img/hotlink_f_o.png [nc]
Similar to the mod_rewrite code above, this will redirect a request for product-3.html to products.php?id=3. As we’re not using r=301, the requested page will remain in the browser’s address bar.
Options +FollowSymlinks RewriteEngine on RewriteRule ^product-([0-9]+)\.html$ products.php?id=$1
In my opinion, it’d be ace to block all requests from a Microsoft user agent, but alas, that wouldn’t be too cool as some people are still hell-bent on using a non-standards compliant browser. Having said that, Microsoft is making their new IE8 release standards compliant by default.
The following provides some examples for blocking requests to your server from certain user agents.
#####################################
# Deny Useragents
#####################################
RewriteCond %{HTTP_USER_AGENT} ^FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Java.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline.Explorer [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus [NC]
RewriteRule ^.*$ - [F]
Ever wanted to make your site look like it runs off a new language such as .w00t files? Well you can with .htaccess! Adding this neat one-liner, you can request .w00t files, which will be served and interpreted as .php type files.
AddType application/x-httpd-php .w00t
Sometimes, when clicking on media files, the browser wants to play or stream it directly from itself. Using the following rules, media files (.avi/.mpg/.wmv/.mp3 in this example) will provide a download dialog box instead.
# instruct browser to download multimedia files AddType application/octet-stream .avi AddType application/octet-stream .mpg AddType application/octet-stream .wmv AddType application/octet-stream .mp3
Sometimes you will require an SSL connection. This following snippet will do just that!
# require SSL
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "domain.tld"
ErrorDocument 403 https://domain.tld
# require SSL without mod_ssl
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Sources:
http://corz.org/serv/tricks/htaccess.php
http://roshanbh.com.np/2008/02/hide-php-url-rewriting-htaccess.html
http://expressproducts.net/htaccess.htm
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/#usa4
http://phpsecurity.wordpress.com/2007/12/22/htaccess-tips-and-tricks/
Have you seen those websites such as Digg and SVP that use fancy URLs such as http://domain.com/page_content? Yeah, sure this could be nearly achieved by simply renaming your pages to something like page_content.htm – but that would result in you having to change every page on your site to a suitably written filename, as well as relying on static pages. I’m going to attempt to demonstrate just how easy it really is to utilise mod_rewrite to have fancy – even “web 2.0″ – URLs within your site.