Make sure you have a .htaccess and .htpasswd file in the directory you want to secure, then add the entries once you’ve generated your password.

Creating custom documents gives your site a more professional look, as not only are you providing a ‘net’ to catch unsuspecting visitors when they follow a bad link and such like, but they also allow you to customise the style of the page so you can maintain your basic site design by adding HTML.

# custom error documents
ErrorDocument 401 /error/401.php
ErrorDocument 403 /error/403.php
ErrorDocument 404 /error/404.php
ErrorDocument 500 /error/500.php

Control Access

Being able to control access to certain areas of your server can be very useful. The following example demonstrates how to only allow access from those connecting from a 192.168.0 LAN IP pool. This could be easily modified to only allow access from a single remote IP address or addresses.

# no nasty crackers in here!
order deny,allow
deny from all
allow from 192.168.0.0/24
# this would do the same thing..
#allow from 192.168.0

Hide and Deny Files

Hiding and denying access to files is crucial to servers that have sensitive data held within files that may be accessible via the website(s) on it. The following example demonstrates how to prevent acces to any files ending with .log – and is case insensitive (i.e. .LoG / .lOG / .loG).

 Order allow,deny
 Deny from all
 Satisfy All

Basic Rewriting

I have written a mod_rewrite tutorial, but this is worth a mention as a top 10 tip for .htaccess files as it’s becoming more and more commonly used these days – primarily for SEO purposes.

This example will redirect a request for http://edrackham.com/page_one.htm to http://edrackham.com/page_one.php. The r=301 tells apache to send a proper HTTP Permanently Moved redirection (301), which will update the address bar in the browser window to show ‘page_one.php’. Without this, you’d still see ‘page_one.htm’ even though you’re seeing a PHP page. This helps SEO, as spiders and search engines will update their listings to reflect the PHP versions.

Options +FollowSymlinks
RewriteEngine on
RewriteRule ^(.+)\.htm$ http://edrackham.com/$1.php [r=301,nc]

Shorter URLs

Shorter URLs are beneficial, as visitors that persist in typing full URLs won’t have to type as much, and they’re more memorable. Do they benefit SEO, even though the full URL contains the same keywords? I don’t know, maybe someone can tell me.

This example will rewrite a page requested as http://edrackham.com/files/code/apache.zip to http://edrackham.com/download.php?type=code&file=apache.

Options +FollowSymlinks
RewriteEngine on
RewriteRule ^files/(.+)/(.+).zip download.php?type=$1&file=$2 [nc]

Prevent Hotlinking

Preventing hotlinking can reduce bandwidth, by disallowing other websites from displaying images hosted on your server. The following rule basically says that if the referer is NOT edrackham.com, run the following rule. The rule (on the next line) says that if the request is for a .gif, .jpg or.png then redirect the visitor to http://edrackham.com/img/hotlink_f_o.png. I’ll leave you to work out what the ‘f_o’ stands for.

Options +FollowSymlinks
# no hot-linking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?edrackham\.com/ [nc]
RewriteRule .*\.(gif|jpg|png)$ http://edrackham.com/img/hotlink_f_o.png [nc]

Hiding Page Extension

Similar to the mod_rewrite code above, this will redirect a request for product-3.html to products.php?id=3. As we’re not using r=301, the requested page will remain in the browser’s address bar.

Options +FollowSymlinks
RewriteEngine on
RewriteRule ^product-([0-9]+)\.html$ products.php?id=$1

Ban Selected User Agents

In my opinion, it’d be ace to block all requests from a Microsoft user agent, but alas, that wouldn’t be too cool as some people are still hell-bent on using a non-standards compliant browser. Having said that, Microsoft is making their new IE8 release standards compliant by default.

The following provides some examples for blocking requests to your server from certain user agents.

#####################################
# Deny Useragents
#####################################

RewriteCond %{HTTP_USER_AGENT} ^FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Java.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline.Explorer [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus [NC]
RewriteRule ^.*$ - [F]

Making Other Filetypes Executable

Ever wanted to make your site look like it runs off a new language such as .w00t files? Well you can with .htaccess! Adding this neat one-liner, you can request .w00t files, which will be served and interpreted as .php type files.

AddType application/x-httpd-php .w00t

Force Media Downloads

Sometimes, when clicking on media files, the browser wants to play or stream it directly from itself. Using the following rules, media files (.avi/.mpg/.wmv/.mp3 in this example) will provide a download dialog box instead.

# instruct browser to download multimedia files
AddType application/octet-stream .avi
AddType application/octet-stream .mpg
AddType application/octet-stream .wmv
AddType application/octet-stream .mp3

Require SSL

Sometimes you will require an SSL connection. This following snippet will do just that!

# require SSL
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "domain.tld"
ErrorDocument 403 https://domain.tld

# require SSL without mod_ssl
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Sources:

http://corz.org/serv/tricks/htaccess.php

http://roshanbh.com.np/2008/02/hide-php-url-rewriting-htaccess.html

http://expressproducts.net/htaccess.htm

http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/#usa4

http://phpsecurity.wordpress.com/2007/12/22/htaccess-tips-and-tricks/

Mod_rewrite is useful for pages with dynamic content, such as those which rely on either POST or GET data to generate the content. A URL that looks something like

http://domain.com/product.php?product_id=19

would be ideal to control using mod_rewrite. The main reasons being that:

1. The URL is referencing dynamic content (as the GET suggests in the URL).
2. The page, product.php, will remain the same – yet load different data based on the value of the GET variable ‘product_id’.

So let’s get started shall we? If you know mod_rewrite works, start masking pages with mod_rewrite now!.

Testing Mod_Rewrite Works

In order to use mod_rewrite, you will need the following:

• The module ‘mod_rewrite’ enabled.
• Either have direct access to your httpd.conf file which won’t be entirely discussed in this tutorial, or have the ability to use .htaccess files within your site.
• Have the AllowOverride directive within the httpd.conf file set to allow rules for you to use mod_rewrite commands.

Don’t panic – most Apache web servers have the above enabled and ready to go! Let’s do a simple test to make sure everything is cool to go. Create a .htaccess file in your site’s root directory.

Insert the following text into your new .htaccess file:

Options +FollowSymLinks
Options +Indexes
RewriteEngine On

NOTE: The .htaccess file will affect all files within the same directory as itself, as well as sub-directories and their respective files. The directory can change, but for the purposes of this tutorial, we’re gonna stick this bad boy in your root directory.

Upload your .htaccess file to the root directory of your site, and load the index page (well, any valid page for that matter!). One of two things will happen (at least, I think I’m right here…). You’ll find that either:

• Your requested page loads just fine. Good.
• You get an Internal Server Error (500). Bad.

If you get the Internal Server Error (error 500), I’m afraid that it looks like either mod_rewrite isn’t installed, or your httpd.conf file doesn’t allow the required AllowOverride directives. If this is the case, and you do have access to edit your httpd.conf file, do so and set AllowOverride to ALL for your site root directory:

<Directory "/var/www/sites/www.domain.com">
AllowOverride All

NOTE: You can also add all of the mod_rewrite rules within the httpd.conf file instead of the .htaccess file if you so wish. My preference is to use the .htaccess file as it’s more portable, and generally easier to edit.

After you’ve edited the httpd.conf file / contacted your server guys or whatever – you should be good to go. If not, I’m all out of ideas. Sorry. Try Google for help :].

Assuming all’s working well, let’s get to the cool bits!

Masking Pages with Mod_Rewrite

This is kind of pointless, but is a simple demonstration for this tutorial. If you don’t care much for pointless, simple-to-understand demonstrations, go straight to the useful rewrite rules.

First create two basic HTML pages. Name them ‘page_one.htm‘ and ‘page_two.htm‘. Add a little dummy content to both of them, but make sure they have different content (this is so as we can differentiate the pages). Open your .htaccess file, and if you don’t have the main opening lines:

Options +FollowSymLinks
Options +Indexes
RewriteEngine On

Add them now. On the next free line, add the following:

RewriteRule ^page_one.htm$ page_two.htm [L]

Now, load page one. What do you see? Page two hopefully. How? Well, the RewriteRule breaks down like this:

RewriteRule [FIND THIS] [REPLACE WITH THIS] [FLAGS]

RewriteRules have 4 main parts to them. The rewrite action:

RewriteRule

Then the FIND THIS part:

^page_one.htm$

This is a regular expression. Everything found in between the circumflex (^) and dollar sign ($) will be searched for and saved as a variable (more on this later). If the FIND THIS value is found, it’ll be replaced with the third part of the RewriteRule – the REPLACE WITH THIS:

page_two.htm

The fourth and final part of the RewriteRule is the flags. You can put flags in between square brackets ([ ]) to control how mod_rewrite should deal with the rule itself.

[L]

I’ve simply used one flag, ‘L’. This means that this is the last rule. As we only have one rule at the moment, using this flag seems appropriate, as it’s the only, and last, rule. You can use multiple flags, by comma delimiting them. There is a list of the flags at the end of this tutorial.

Rewriting Dynamic URLs

Let’s take the first URL mentioned in this tutorial as the example for this part of the tutorial:

http://domain.com/product.php?product_id=19

Create a new PHP page called product.php. Add the following code between the tags:

You are viewing product <?php echo $_REQUEST['product_id']; ?>

Save, and upload your file. You can view my example of product.php to see how the page changes with the dynamic content from the GET request.

Let’s say you would prefer to use a cleaner URL, such as:

http://domain.com/product/19/

This could be achieved by adding the following line to your .htaccess file:

RewriteRule ^product/([0-9]+)/$ product.php?product_id=$1 [NC,L]

You can test this in action if you wish. If we break down the RewritRule into the four parts again, you should be able to see how it’s working:

RewriteRule

Here, we’re simply stating that we’re adding a new rule for mod_rewrite to use.

^product/([0-9]+)/$

As before, this is the FIND THIS value. We are looking for a string within the URL that contains product/[NUMERICAL VALUE]/ – that is, the word ‘product’, then a forward-slash (/), then a numerical value only, then a final forward slash. The magic here lies between the brackets ( ):

([0-9]+)

The brackets ( ) are telling mod_rewrite to store whatever it finds within the brackets in a variable. The [0-9]+ is a simple regular expression allowing only numbers 0 to 9, and the + sign means ‘any number of’. So we can have 99 or 123 for example, not just one number, such as a 9 or a 1.

we finally add a trailing slash (/) at the end to finish what we’re looking for (as our desired clean URL is product/[PRODUCT ID]/).

product.php?product_id=$1

The third part of our RewriteRule is the REPLACE WITH THIS part. Here you can see the actual page name, with the query string – but this time there’s something new. Where we used to have the product ID, we now have a variable $1. $1 will contain the value of the result of the regular expression found within the brackets in the FIND THIS part. Can you see it all falling into place now?

[NC,L]

Finally come the flags. I’ve used two flags here, NC meaning that the rule is case insensitive (it just protects us incase anyone uses http://domain.com/Product/19/ for example), and L meaning it’s our last rule.

Feel free to check this out with a working example. Change the number from 19 to a different number and see what happens.

Mod_Rewrite Flags

• C – Chain
• E – Environmental Variable
• F – Forbidden
• G – 410 Gone
• L – Last
• N – Next (Round)
• NC – No Case
• NE – No Escape
• NS – No SubRequest
• P – Proxy
• PT – Pass Through
• QSA – Query String Append
• R – Redirect
• S – Skip
• T – Type

Closure

I could go on and on with more examples of mod_rewrite, but that would exceed the scope of this tutorial – seeing as this is only a beginner’s tutorial. Through this tutorial, I hope that you’ve learned enough of the basics in order to get you started. You should now know:

• How to get mod_rewrite working.
• How to mask pages.
• How to create cleaner URLs for dynamic pages.

Useful Reading & References

• Apache’s Mod_Rewrite Documentation
• Mod_Rewrite Cheat Sheet
• Regular Expression Tutorials