Using .htaccess¶
.htaccess is a file, that enables local overrides of Apache configuration, without having to edit the server configuration. The settings defined in .htaccess apply to the directory it is saved in and all its subdirectories.
Beware, a lot of CMSs have their own .htaccess files and the rules defined there are required for their operation. In that case, you should not overwrite it, but append your rules, while carefully checking, that they are not in conflict.
Authentization¶
This is a simple way to enable authentication for your website.
AuthUserFile .htpasswd
AuthType Basic
AuthName "Text shown in the pop-up login window"
Require valid-user
If you have SSH access to the server, you can generate the .htpasswd file directly:
htpasswd -bc .htpasswd user password
If have neither SSH access, nor any other available Linux system (htpasswd command is part of the apache2-utils package), you can use an online generator:
https://www.htaccesstools.com/htpasswd-generator/
However, this is a security risk, as you have no guarantee, that the author of the website does not save the generated passwords.
Rewrite rules¶
Rewrite module allows you to redirect, spoof and alter URLs. It has broad usage, so we will showcase several common usage scenarios. If you want to use rewrite rules in your .htaccess file, you first need to enable them:
RewriteEngine On
Redirect to www subdomain¶
RewriteCond %{HTTP_HOST} ^exampledomain\.com [nc]
RewriteRule (.*) https://www.exampledomain.com/$1 [R=301,QSA,L]
Redirect to a different domain, including the request URI¶
RewriteCond %{HTTP_HOST} somedomain\.com [NC]
RewriteRule ^/(.*)$ https://anotherdomain.com/$1 [R=301,QSA,L]
Simple spoofing¶
RewriteRule requested\.php /spoofed.php
RewriteRule ^requested-page /spoofed.php
RewriteRule ^requested-content /index.php?page=requested
RewriteRule ^news/ /index.php?category=news&page=1&sort=newest
Spoofing a pretty URL with variable¶
The following rule will tranform www.someshop.com/hoover-23 to www.someshop.com/index.php?category=products&type=hoovers&id=23.
RewriteRule ^hoover-(.*) index.php?category=products&type=hoovers&id=$1 [QSA,L]
The difference between spoofing and redirecting is, that with spoofing, the URL in the browser does not change, but clients is served the content of the spoofed URL with 200 HTTP return code. On the other hand, redirect will change the URL and return 301 or 302 HTTP return code.
You can find more examples in the official documentation:
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
Redirects¶
Furthermore, you can set up simple redirect without using mod_rewrite.
Redirect 301 /old-file.php /new-file.php
Redirect 301 /old-page.html http://www.exampledomain.com/new-page/
Custom error documents¶
You can also set up custom error pages:
ErrorDocument 401 /errors/authorization-needed.php
ErrorDocument 403 /errors/access-denied.php
ErrorDocument 404 /errors/not-found.php
ErrorDocument 500 /errors/internal-server-error.php
ErrorDocument 503 /errors/temporarily-unavailable.php
Directory listing¶
By default, when trying to access a directory without index.php, the server returns 403 Forbidden response. If you would like to list the directory contents instead, you can achieve that with the following directive.
Option +Indexes