cr3ativ3
I was surprised to find that there was no tutorial outlining more then one feature of .htaccess, on the frihost forums.
I have decided to write my own which I may decide to use on other tutorial sites in the future so don't anyone think that someone has copied it if you see an exact copy of this tutorial some where else.
So lets get started.
---------------------------------------------------------------------------------------------
.htaccess General Use Tutorial
Introduction to .htaccess
This tutorial assumes you know the basics of the web and basic html/xhtml.
Ok, so you want to learn about .htaccess eh? Well you have come to the right place, you have probably stumbled upon this tutorial because you have heard pf .htaccess don't really know much about it but would like to learn.
.htaccess is a means of overriding certain configurations in the apache httpd.conf file, you probably have no idea what I am talking about if you haven't worked with a server before so I will explain this in more detail.
Apache is a http server all web servers have a http server, i guess you could say an http server is a web server, apache is the is one of the top free http server technology's if not the top. Apache is configured using a file called httpd.conf this file contains all the configuration settings and other stuff. If you are on a shared server you won't have access to this file directly, so .htaccess allows you to modify some of the popular settings in the httpd.conf.
Now, if you are an evil person you might be thinking to your self now I will learn how to ruin a server (mwahahahaha). Using .htaccess will only affect the folder you put it in its sub folders, so to bad.
Oh, if you don't already no .htaccess is the file you will use to enter the commands so create a file .htaccess it is just .htaccess not filename.htaccess just plain .htaccess. I would recommend you create the file in the control panel that your webhost has given you to edit your site, not a ftp client because some ftp clients won't display the .htaccess file.
Popular uses for .htaccess.
Some popular uses for .htaccess would be:
Error Documents
Ok, first of all we will work with error documents. These can be very handy and a neat aspect to your website, might also be useful in keeping track of missing pages.
I am sure you have noticed trying to get somewhere on the internet that the page was not found (doesn't exist) in web terms we call it a 404 error. Using apache you can have the server redirect visitors that encounter a 404 error on your domain (www.yourdomain.com/somerandompage) having the somerandompage not exist you could have them redirected to an error page lets just for now say 404.html. Where 404.html could have your sites template then have it say sorry this page does not exist or something.
So in our .htaccess file lets enter this:
that is assuming the the 404.html is in the same directory at the .htaccess page. For other directory's change it to:
Now, there are other error codes many more they ones usually used in error pages and the ones I will be teaching you about here are: 500, 404, 403, and 401.
500 is a Internal Server Error message usually caused by an issue with a server setup. 403 is a Forbidden error the most usually causes for this error is when a user try's accessing a directory without a default page and directory listing disables, for example http://www.somesite.com/somedirectory/ with the previous things happening would bring back a 403 error. 401 Authorization Required this is Shown when a failure to login to a .htaccess password protection system, which you will learn how to setup later.
So if we were to setup error pages for all of these our .htaccess file would look like this:
Redirects
Redirects can be useful because their are downsides to meta redirects the most common type of redirect that aren't in .htaccess redirects.
Lets take a look at the following code:
If we place this in our .htaccess file if someone try's visiting the oldfile.html then they would be redirected to http://yourdomain.com/newdirectorys/newfile.html so the three parts to the redirect are Redirect then a [space] the old file [space] where to redirect.
Some Notes: the file or directory doesn't have to actually exist.
Prevent files from being (Hot Linked)
For those of you that don't know the meaning of Hot Linking. Hot Linking refers to someone linking directly to a file not on there own server.
Scenario:
Say site1.com and site2.com are on two differen't servers. site1.com has two files in there main directory logo.png and styles.css, ahh what the heck lets add in a functions.js. Now site two has a web page on it webpage.html in webpage.html is this:
So, as we can see in this scenario site2.com is linking directly to the image on site1.com same with their .js and .css file. This is the process of hotlinking and many webmasters don't like people doing this to files on their servers. The reason is this takes up bandwidth/transfer on the server that contains the files. For more information on bandwidth do a google search.
Now to prevent people from being able to link to your files say you were site1.com you would have a .htaccess file with this in it:
Now, before you have a brain melt down, I know this is complicated you don't need to learn what all that does right now as long as you just want to use it to stop hot linking. So for you would change yourdomain.com to whatever your domain is. Then on the last line (png|js|css) these are the file types we don't want to be able to be hot linked. You can add more file types to that by simply separating it with a | like this if we wanted to add jpg (jpg|png|js|css).
Ideas:
Here is a cool technique to drive the person that is hot linking your images from your site crazy. Using this it will allow you to replace images with a differen't image on your server maybe a image that says No HotLinking!
Same idea just replace yourdomain.com with your domain but on the last line change the url to the image on your site you want it to substitute. Now with this knew capability I am sure you can figure out a way to ruin the site but I am not going to show you how.
Prevent Directory Listing
You might be thinking, what is Directory Listing. Well directory listing which you have probably seen on sites before is where all the files in a directory are displayed because the default for that file is not there, usually index.*. Note this isn't suppose to happen most server have this disabled for security reasons usually to solve this you create a plain index file. Using .htaccess we can prevent apache from displaying the directory files for servers that haven't been configured to prevent this.
Lets take a look at the following code:
Pretty simple, this will just disable directory listing completely. Now if you haven't already guessed if you want to display a directory then you would.
You can also customize what files to display so lets say we don't want to display any files that are .php or .png but we want to display all other files we would do this:
Note: remember don't allow people to see files that could compromise your websites security.
Blocking Certain IP's/Sites
Have you got a visitor which is wreaking haveck on your site? Maybe, they are posting nasty comments on your public comment system well using .htaccess we can block them from your site atleast there ip address, they might start using proxy's or use a different computer and they could get past this but at least it makes it harder for them.
Let's take a look at the following piece of code:
Now if we added this to the .htaccess file we would be banning all the ip address 123.45.6.7 and 012.34.5.* the star in the second address wild card means that any thing in that block will be blocked like 012.34.5.0, 012.34.5.1, 012.34.5.2, 012.34.5.3, etc.
Now lets say we want to deny from all but one IP address then we would use this:
Now we would be allowing only the IP address 123.45.6.7 to visit the site if you are unsure what and IP address is google it.
You can even block sites from visiting your site I am not exactly sure how this would be helpful though.
This would block google.com from viewing your site. and any sub domains such as gmail.google.com. Just change the .google.com to the site you want to block.
Password Protecting Your Directory's
You may want to protect a directory on your site but don't know how to one of these solutions, usually other solutions using php, asp, or even javascript would be very complicated to create.
With .htaccess we can create a protection system which simply prompts the user for a user name and password on entering the directory or any files in it, you may be asking your self do I really want the user to have to login over and over again to visit pages in a certain folder? Well don't, using this it will keep that user logged in the whole time their browser is open so they will only have to log back in if they exit their browser. There are other conditions which could cause the user to have to log back in but for simplicity I'll just say they have to log back in if they exit there browser.
Using .htaccess protection is usually more secure than other solutions like php or asp.
Lets take a look at the following code:
Let's look at the first line AuthName "Restricted Area" This is the name of the prompt that pops up when the user visits the directory so in this case it would say Restricted Area. Let's skip a line and look at this line AuthUserFile /home/user/domains/yourdomain.com/public_html/securedir/.htpasswd this is the 'absolute path' to our password file which contains the user name's and password's for the users that are able to log in to the prompt.
Now your probably wondering how to find your absolute path I made a neat little tool that you may use to find this. Just create a plain .php file on your server where you want to put your .htpasswd file then paste this into the file:
That will give you the absolute path to the .php file just change the filename at the end to .htpasswd.
Now let's look at the contents of the .htpasswd file which you should have created at the same location the absolute path points to.
As you may have already guessed what is before the : is the username and what is after it is the encrypted password, your probably asking yourself how do I know the encrypted version of my password. Well, there is a neat script at javascript kit for creating the .htaccess and .htpasswd file for password protection here is a link: http://www.tools.dynamicdrive.com/password/
Note: As I was talking about in the error pages section the 401 error is the error that occurs if the user exits the login without loging in. So you can create a page for that.
Change Your Default Page
Many of you if you have worked with websites even the simplest/worst of them you will know what a Default Page is, if not a default page is the page that is called up when just the directory is called. For instance on most servers index.* is the default page so when you visit www.yourdomain.com it would really show you www.yourdomain.com/index.*, same would happen if you visited www.yourdomain.com/directory/ it would show you www.yourdomain.com/directory/index.* (*) being the extension of the file.
Let's take a look at the following code:
Pretty simple I am sure you understand this but if not.., this would just set the default directory to default.html instead of the usual index.html we have also appended names to it so if there is no default.html then it would use default.htm and if no default.htm could be found then it would use default.php and so on... if you want to add names just separate them with a space and it selects which one to use by the order of the list.
Conclusion
Look were already at the conclusion of the tutorial so I would just like to point some things out again if I haven't already.
Certain servers that are set up incorrectly or just plain bad will allow a visitor to view the .htaccess file directly from there browser which can be a security risk if your using password protection so just stick this at the top of your .htaccess file to prevent this:
.htaccess will effect the directory it is put in and any sub directory's if you don't want it to effect a directory below it just put a .htaccess file in that directory. (the nearest.htaccess file to the directory it uses).
.htaccess does use apache and can cause the server to slow down so make sure you ask your host before using .htaccess you don't want to get iin to trouble.
.htaccess only works on servers that are running apache as the server software most web hosts use apache.
Use .htaccess sparingly.
And most of all have fun.
Also, just before I leave you with this I would like to post a .htaccess file for a site that someone might find useful for a site.
Thank, you for reading this very very very long tutorial. If you see any errors or run into a problem please just post I will see if I can figure it out.
I have decided to write my own which I may decide to use on other tutorial sites in the future so don't anyone think that someone has copied it if you see an exact copy of this tutorial some where else.
So lets get started.
---------------------------------------------------------------------------------------------
.htaccess General Use Tutorial
Introduction to .htaccess
This tutorial assumes you know the basics of the web and basic html/xhtml.
Ok, so you want to learn about .htaccess eh? Well you have come to the right place, you have probably stumbled upon this tutorial because you have heard pf .htaccess don't really know much about it but would like to learn.
.htaccess is a means of overriding certain configurations in the apache httpd.conf file, you probably have no idea what I am talking about if you haven't worked with a server before so I will explain this in more detail.
Apache is a http server all web servers have a http server, i guess you could say an http server is a web server, apache is the is one of the top free http server technology's if not the top. Apache is configured using a file called httpd.conf this file contains all the configuration settings and other stuff. If you are on a shared server you won't have access to this file directly, so .htaccess allows you to modify some of the popular settings in the httpd.conf.
Now, if you are an evil person you might be thinking to your self now I will learn how to ruin a server (mwahahahaha). Using .htaccess will only affect the folder you put it in its sub folders, so to bad.
Oh, if you don't already no .htaccess is the file you will use to enter the commands so create a file .htaccess it is just .htaccess not filename.htaccess just plain .htaccess. I would recommend you create the file in the control panel that your webhost has given you to edit your site, not a ftp client because some ftp clients won't display the .htaccess file.
Popular uses for .htaccess.
Some popular uses for .htaccess would be:
Error Documents
Redirects
Prevent files from being (Hot Linked)
Prevent Directory Listing
Blocking Certain IP's/Sites
Password Protecting Your Directory's
Change your default page
Error Documents
Ok, first of all we will work with error documents. These can be very handy and a neat aspect to your website, might also be useful in keeping track of missing pages.
I am sure you have noticed trying to get somewhere on the internet that the page was not found (doesn't exist) in web terms we call it a 404 error. Using apache you can have the server redirect visitors that encounter a 404 error on your domain (www.yourdomain.com/somerandompage) having the somerandompage not exist you could have them redirected to an error page lets just for now say 404.html. Where 404.html could have your sites template then have it say sorry this page does not exist or something.
So in our .htaccess file lets enter this:
| Code: |
|
ErrorDocument 404/404.html |
that is assuming the the 404.html is in the same directory at the .htaccess page. For other directory's change it to:
| Code: |
|
ErrorDocument 404 somedirectory/404.html |
Now, there are other error codes many more they ones usually used in error pages and the ones I will be teaching you about here are: 500, 404, 403, and 401.
500 is a Internal Server Error message usually caused by an issue with a server setup. 403 is a Forbidden error the most usually causes for this error is when a user try's accessing a directory without a default page and directory listing disables, for example http://www.somesite.com/somedirectory/ with the previous things happening would bring back a 403 error. 401 Authorization Required this is Shown when a failure to login to a .htaccess password protection system, which you will learn how to setup later.
So if we were to setup error pages for all of these our .htaccess file would look like this:
| Code: |
|
ErrorDocument 401 401.html ErrorDocument 403 403.html ErrorDocument 404 404.html ErrorDocument 500 500.html |
Redirects
Redirects can be useful because their are downsides to meta redirects the most common type of redirect that aren't in .htaccess redirects.
Lets take a look at the following code:
| Code: |
|
Redirect olddirectory/oldfile.html http://yourdomain.com/newdirectory/newfile.html |
If we place this in our .htaccess file if someone try's visiting the oldfile.html then they would be redirected to http://yourdomain.com/newdirectorys/newfile.html so the three parts to the redirect are Redirect then a [space] the old file [space] where to redirect.
Some Notes: the file or directory doesn't have to actually exist.
Prevent files from being (Hot Linked)
For those of you that don't know the meaning of Hot Linking. Hot Linking refers to someone linking directly to a file not on there own server.
Scenario:
Say site1.com and site2.com are on two differen't servers. site1.com has two files in there main directory logo.png and styles.css, ahh what the heck lets add in a functions.js. Now site two has a web page on it webpage.html in webpage.html is this:
| Code: |
|
<html> <head> <script language="javascript" src="functions.js"></script> <link rel="stylesheet" type="text/css" href="http://www.site1.com/styles.css" /> </head> <body> <img src="http://www.site1.com/logo.png" /> </body> </html> |
So, as we can see in this scenario site2.com is linking directly to the image on site1.com same with their .js and .css file. This is the process of hotlinking and many webmasters don't like people doing this to files on their servers. The reason is this takes up bandwidth/transfer on the server that contains the files. For more information on bandwidth do a google search.
Now to prevent people from being able to link to your files say you were site1.com you would have a .htaccess file with this in it:
| Code: |
|
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC] RewriteRule \.(png|js|css)$ - [F] |
Now, before you have a brain melt down, I know this is complicated you don't need to learn what all that does right now as long as you just want to use it to stop hot linking. So for you would change yourdomain.com to whatever your domain is. Then on the last line (png|js|css) these are the file types we don't want to be able to be hot linked. You can add more file types to that by simply separating it with a | like this if we wanted to add jpg (jpg|png|js|css).
Ideas:
Here is a cool technique to drive the person that is hot linking your images from your site crazy. Using this it will allow you to replace images with a differen't image on your server maybe a image that says No HotLinking!
| Code: |
|
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.mydomain.com/angryman.gif [R,L] |
Same idea just replace yourdomain.com with your domain but on the last line change the url to the image on your site you want it to substitute. Now with this knew capability I am sure you can figure out a way to ruin the site but I am not going to show you how
.
Prevent Directory Listing
You might be thinking, what is Directory Listing. Well directory listing which you have probably seen on sites before is where all the files in a directory are displayed because the default for that file is not there, usually index.*. Note this isn't suppose to happen most server have this disabled for security reasons usually to solve this you create a plain index file. Using .htaccess we can prevent apache from displaying the directory files for servers that haven't been configured to prevent this.
Lets take a look at the following code:
| Code: |
|
Options -Indexes |
Pretty simple, this will just disable directory listing completely. Now if you haven't already guessed if you want to display a directory then you would.
| Code: |
|
Options +Indexes |
You can also customize what files to display so lets say we don't want to display any files that are .php or .png but we want to display all other files we would do this:
| Code: |
|
Options +Indexes IndexIgnore *.php *.png |
Note: remember don't allow people to see files that could compromise your websites security.
Blocking Certain IP's/Sites
Have you got a visitor which is wreaking haveck on your site? Maybe, they are posting nasty comments on your public comment system well using .htaccess we can block them from your site atleast there ip address, they might start using proxy's or use a different computer and they could get past this but at least it makes it harder for them.
Let's take a look at the following piece of code:
| Code: |
|
order allow,deny deny from 123.45.6.7 deny from 012.34.5. allow from all |
Now if we added this to the .htaccess file we would be banning all the ip address 123.45.6.7 and 012.34.5.* the star in the second address wild card means that any thing in that block will be blocked like 012.34.5.0, 012.34.5.1, 012.34.5.2, 012.34.5.3, etc.
Now lets say we want to deny from all but one IP address then we would use this:
| Code: |
|
order allow,deny allow from 123.45.6.7 deny from all |
Now we would be allowing only the IP address 123.45.6.7 to visit the site if you are unsure what and IP address is google it.
You can even block sites from visiting your site I am not exactly sure how this would be helpful though.
| Code: |
|
order allow,deny deny from .google.com allow from all |
This would block google.com from viewing your site. and any sub domains such as gmail.google.com. Just change the .google.com to the site you want to block.
Password Protecting Your Directory's
You may want to protect a directory on your site but don't know how to one of these solutions, usually other solutions using php, asp, or even javascript would be very complicated to create.
With .htaccess we can create a protection system which simply prompts the user for a user name and password on entering the directory or any files in it, you may be asking your self do I really want the user to have to login over and over again to visit pages in a certain folder? Well don't, using this it will keep that user logged in the whole time their browser is open so they will only have to log back in if they exit their browser. There are other conditions which could cause the user to have to log back in but for simplicity I'll just say they have to log back in if they exit there browser.
Using .htaccess protection is usually more secure than other solutions like php or asp.
Lets take a look at the following code:
| Code: |
|
AuthName "Restricted Area" AuthType Basic AuthUserFile /home/cr3ativ3/domains/oypanel.uni.cc/public_html/development/.htpasswd AuthGroupFile /dev/null require valid-user |
Let's look at the first line AuthName "Restricted Area" This is the name of the prompt that pops up when the user visits the directory so in this case it would say Restricted Area. Let's skip a line and look at this line AuthUserFile /home/user/domains/yourdomain.com/public_html/securedir/.htpasswd this is the 'absolute path' to our password file which contains the user name's and password's for the users that are able to log in to the prompt.
Now your probably wondering how to find your absolute path I made a neat little tool that you may use to find this. Just create a plain .php file on your server where you want to put your .htpasswd file then paste this into the file:
| Code: |
|
<?php echo $_SERVER['SCRIPT_FILENAME'] ?> |
That will give you the absolute path to the .php file just change the filename at the end to .htpasswd.
Now let's look at the contents of the .htpasswd file which you should have created at the same location the absolute path points to.
| Code: |
|
tutorialuser:ZH1Lxn1bE.b6k tutorialuser2:bf1VWZNWQC8lw |
As you may have already guessed what is before the : is the username and what is after it is the encrypted password, your probably asking yourself how do I know the encrypted version of my password. Well, there is a neat script at javascript kit for creating the .htaccess and .htpasswd file for password protection here is a link: http://www.tools.dynamicdrive.com/password/
Note: As I was talking about in the error pages section the 401 error is the error that occurs if the user exits the login without loging in. So you can create a page for that.
Change Your Default Page
Many of you if you have worked with websites even the simplest/worst of them you will know what a Default Page is, if not a default page is the page that is called up when just the directory is called. For instance on most servers index.* is the default page so when you visit www.yourdomain.com it would really show you www.yourdomain.com/index.*, same would happen if you visited www.yourdomain.com/directory/ it would show you www.yourdomain.com/directory/index.* (*) being the extension of the file.
Let's take a look at the following code:
| Code: |
|
DirectoryIndex default.html default.htm default.php default.asp default.htm |
Pretty simple I am sure you understand this but if not.., this would just set the default directory to default.html instead of the usual index.html we have also appended names to it so if there is no default.html then it would use default.htm and if no default.htm could be found then it would use default.php and so on... if you want to add names just separate them with a space and it selects which one to use by the order of the list.
Conclusion
Look were already at the conclusion of the tutorial
so I would just like to point some things out again if I haven't already.
Certain servers that are set up incorrectly or just plain bad will allow a visitor to view the .htaccess file directly from there browser which can be a security risk if your using password protection so just stick this at the top of your .htaccess file to prevent this:
| Code: |
|
<Files .htaccess> order allow,deny deny from all </Files> |
.htaccess will effect the directory it is put in and any sub directory's if you don't want it to effect a directory below it just put a .htaccess file in that directory. (the nearest.htaccess file to the directory it uses).
.htaccess does use apache and can cause the server to slow down so make sure you ask your host before using .htaccess you don't want to get iin to trouble.
.htaccess only works on servers that are running apache as the server software most web hosts use apache.
Use .htaccess sparingly.
And most of all have fun.
Also, just before I leave you with this I would like to post a .htaccess file for a site that someone might find useful for a site.
| Code: |
|
<Files .htaccess> order allow,deny deny from all </Files> ErrorDocument 403 403.html ErrorDocument 404 404.html ErrorDocument 500 500.html DirectoryIndex default.htm default.html default.php RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC] RewriteRule \.(gif|jpg|png|bmp|js|css)$ - [F] IndexIgnore * |
Thank, you for reading this very very very long tutorial. If you see any errors or run into a problem please just post I will see if I can figure it out.
