In this tutorial you will find out about the .htaccess file and the power it has to improve your website.
Enabling .htaccess:
.htaccess files are normally enabled by default. This is actually controlled
by the AllowOverride Directive in the httpd.conf file.
# Only allow .htaccess files to override Authorization and Indexes
AllowOverride AuthConfig Indexes
.htaccess Code for Error pages
You will probably want to create an error document for codes 404 and 500, at the least 404 since this would give you a chance to handle requests for pages not found. 500 would help you out with internal server errors in any scripts you have running in your website. You may also want to consider ErrorDocuments for 401 – Authorization Required (as in when somebody tries to enter a protected area of your site without the proper credentials), 403 – Forbidden (as in when a file with permissions not allowing it to be accessed by the user is requested) and 400 – Bad Request, which is one of those generic kind of errors that people get to by doing some weird stuff with your URL or scripts.
You can use custom error pages for any error as long as you know its number (like 404 for page not found) by adding the following to your .htaccess file:
ErrorDocument 404 /errors/notfound.html
also you can use others errors page with this htaccess code
ErrorDocument 400 /error404.html
ErrorDocument 401 /error401.html
ErrorDocument 403 /error403.html
ErrorDocument 404 /error404.html
ErrorDocument 500 /error500.html
RewriteEngine On it is turn on Rewrite Rules in Apache Server. if you want to turn off, just change the value to off.
Domain Redirection
.htacces code for redirecting yourwebsite.com to www.yourwebsite.com
RewriteCond %HTTP_HOST ^yourwebsite.com
RewriteRule (.*) http://www.yourwebsite.com/$1 [R=301,L]
Sub Domain Redirection
Sub domain redirection mapping to folder. Here http://www.yourwebsite.com is connecting towebsite_folder folder.
RewriteCond %HTTP_HOST ^www\.yourwebsite\.com$
RewriteCond %REQUEST_URI !^/website_folder/
RewriteRule (.*) /website_folder/$1
Here http://subdomain.yourwebsite.com is connecting to subdomain_folder folder.
RewriteCond %HTTP_HOST ^subdomain\.yourwebsite\.com$
RewriteCond %REQUEST_URI !^/subdomain_folder/
RewriteRule (.*) /subdomain_folder/$1
Old Domain Redirection
htaccess code for redirecting old domain(abc.com) to new domain(xyz.com). Live demofglogin.com is now redirecting to oauthlogin.com
RewriteCond %HTTP_HOST ^abc.com
RewriteRule (.*) http://www.xyz.com/$1 [R=301,L]
RewriteCond %HTTP_HOST ^www\.abc\.com
RewriteRule (.*) http://www.abc.com/$1 [R=301,L]
Hiding File Extension
http://www.yourwebsite.com/index.html
to
http://www.yourwebsite.com/index
RewriteRule ^([^/.]+)/?$ $1.html
Password Protection
There are lots of methods to password protecting areas of your website, some server language (such as ASP, PHP or PERL) and client side , such as JavaScript. JavaScript is not as secure or foolproof as a server-side option, a server side challenge/response is always more secure than a client dependant challenge/response. htaccess is about as secure as you can or need to get in everyday life, though there are ways above and beyond even that of htaccess.
For example, a username and password of wsabstract (and I do not recommend having the username being the same as the password), the htpasswd file would look like this:
tutorialworld:y4E7Ep8e7EYV
Create a new htaccess file and place the following code in it:
AuthUserFile /usr/local/you/safedir/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user tutorialworld
You can generate a htaccess password here
Deny/Allow Certian IP Addresses
In some situations, you may want to only allow people with specific IP addresses to access your site (for example, only allowing people using a particular ISP to get into a certian directory) or you may want to ban certian IP addresses (for example, keeping disruptive memembers out of your message boards)
You can block an IP address by using:
deny from 000.000.000.000
You can allow an IP address by using:
allow from 000.000.000.000
You can Deny or ban ip from this htaccess ipaddress banning generator
Blocking bad bots and site rippers (aka offline browsers)
Below is a useful code block you can insert into.htaccess file for blocking a lot of the known bad bots and site rippers currently out there.
RewriteEngine On
RewriteCond %HTTP_USER_AGENT ^BlackWidow [OR]
RewriteCond %HTTP_USER_AGENT ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %HTTP_USER_AGENT ^ChinaClaw [OR]
RewriteCond %HTTP_USER_AGENT ^Custo [OR]
RewriteCond %HTTP_USER_AGENT ^DISCo [OR]
RewriteCond %HTTP_USER_AGENT ^Download\ Demon [OR]
RewriteCond %HTTP_USER_AGENT ^eCatch [OR]
RewriteCond %HTTP_USER_AGENT ^EirGrabber [OR]
RewriteCond %HTTP_USER_AGENT ^EmailSiphon [OR]
RewriteCond %HTTP_USER_AGENT ^EmailWolf [OR]
RewriteCond %HTTP_USER_AGENT ^Express\ WebPictures [OR]
RewriteCond %HTTP_USER_AGENT ^ExtractorPro [OR]
RewriteCond %HTTP_USER_AGENT ^EyeNetIE [OR]
RewriteCond %HTTP_USER_AGENT ^FlashGet [OR]
RewriteCond %HTTP_USER_AGENT ^GetRight [OR]
RewriteCond %HTTP_USER_AGENT ^GetWeb! [OR]
RewriteCond %HTTP_USER_AGENT ^Go!Zilla [OR]
RewriteCond %HTTP_USER_AGENT ^Go-Ahead-Got-It [OR]
RewriteCond %HTTP_USER_AGENT ^GrabNet [OR]
RewriteCond %HTTP_USER_AGENT ^Grafula [OR]
RewriteCond %HTTP_USER_AGENT ^HMView [OR]
RewriteCond %HTTP_USER_AGENT HTTrack [NC,OR]
RewriteCond %HTTP_USER_AGENT ^Image\ Stripper [OR]
RewriteCond %HTTP_USER_AGENT ^Image\ Sucker [OR]
RewriteCond %HTTP_USER_AGENT Indy\ Library [NC,OR]
RewriteCond %HTTP_USER_AGENT ^InterGET [OR]
RewriteCond %HTTP_USER_AGENT ^Internet\ Ninja [OR]
RewriteCond %HTTP_USER_AGENT ^JetCar [OR]
RewriteCond %HTTP_USER_AGENT ^JOC\ Web\ Spider [OR]
RewriteCond %HTTP_USER_AGENT ^larbin [OR]
RewriteCond %HTTP_USER_AGENT ^LeechFTP [OR]
RewriteCond %HTTP_USER_AGENT ^Mass\ Downloader [OR]
RewriteCond %HTTP_USER_AGENT ^MIDown\ tool [OR]
RewriteCond %HTTP_USER_AGENT ^Mister\ PiX [OR]
RewriteCond %HTTP_USER_AGENT ^Navroad [OR]
RewriteCond %HTTP_USER_AGENT ^NearSite [OR]
RewriteCond %HTTP_USER_AGENT ^NetAnts [OR]
RewriteCond %HTTP_USER_AGENT ^NetSpider [OR]
RewriteCond %HTTP_USER_AGENT ^Net\ Vampire [OR]
RewriteCond %HTTP_USER_AGENT ^NetZIP [OR]
RewriteCond %HTTP_USER_AGENT ^Octopus [OR]
RewriteCond %HTTP_USER_AGENT ^Offline\ Explorer [OR]
RewriteCond %HTTP_USER_AGENT ^Offline\ Navigator [OR]
RewriteCond %HTTP_USER_AGENT ^PageGrabber [OR]
RewriteCond %HTTP_USER_AGENT ^Papa\ Foto [OR]
RewriteCond %HTTP_USER_AGENT ^pavuk [OR]
RewriteCond %HTTP_USER_AGENT ^pcBrowser [OR]
RewriteCond %HTTP_USER_AGENT ^RealDownload [OR]
RewriteCond %HTTP_USER_AGENT ^ReGet [OR]
RewriteCond %HTTP_USER_AGENT ^SiteSnagger [OR]
RewriteCond %HTTP_USER_AGENT ^SmartDownload [OR]
RewriteCond %HTTP_USER_AGENT ^SuperBot [OR]
RewriteCond %HTTP_USER_AGENT ^SuperHTTP [OR]
RewriteCond %HTTP_USER_AGENT ^Surfbot [OR]
RewriteCond %HTTP_USER_AGENT ^tAkeOut [OR]
RewriteCond %HTTP_USER_AGENT ^Teleport\ Pro [OR]
RewriteCond %HTTP_USER_AGENT ^VoidEYE [OR]
RewriteCond %HTTP_USER_AGENT ^Web\ Image\ Collector [OR]
RewriteCond %HTTP_USER_AGENT ^Web\ Sucker [OR]
RewriteCond %HTTP_USER_AGENT ^WebAuto [OR]
RewriteCond %HTTP_USER_AGENT ^WebCopier [OR]
RewriteCond %HTTP_USER_AGENT ^WebFetch [OR]
RewriteCond %HTTP_USER_AGENT ^WebGo\ IS [OR]
RewriteCond %HTTP_USER_AGENT ^WebLeacher [OR]
RewriteCond %HTTP_USER_AGENT ^WebReaper [OR]
RewriteCond %HTTP_USER_AGENT ^WebSauger [OR]
RewriteCond %HTTP_USER_AGENT ^Website\ eXtractor [OR]
RewriteCond %HTTP_USER_AGENT ^Website\ Quester [OR]
RewriteCond %HTTP_USER_AGENT ^WebStripper [OR]
RewriteCond %HTTP_USER_AGENT ^WebWhacker [OR]
RewriteCond %HTTP_USER_AGENT ^WebZIP [OR]
RewriteCond %HTTP_USER_AGENT ^Wget [OR]
RewriteCond %HTTP_USER_AGENT ^Widow [OR]
RewriteCond %HTTP_USER_AGENT ^WWWOFFLE [OR]
RewriteCond %HTTP_USER_AGENT ^Xaldon\ WebSpider [OR]
RewriteCond %HTTP_USER_AGENT ^Zeus
RewriteRule ^.* - [F,L]
Prevent viewing of .htaccess file
Prevent viewing of .htaccess file
If you use htaccess for password protection, then the location containing all of your password information is plainly available through the htaccess file. If you have set incorrect permissions or if your server is not as secure as it could be, a browser has the potential to view an htaccess file through a standard web interface and thus compromise your site/server. This, of course, would be a bad thing. However, it is possible to prevent an htaccess file from being viewed in this manner:
<Files .htaccess>
order allow,deny
deny from all
</Files>
The first line specifies that the file named .htaccess is having this rule applied to it. You could use this for other purposes as well if you get creative enough.
Preventing hot linking of images and other file types
Recently when I did an image search on images in my website, I Found there are some site that are using the same images that i uploaded into my server. That website is directly used images in my server by just calling images from my server. If you are a website owner or a blogger I’m sure that you may also experiences the same problem. The precess of steeling images from a website without any permission of that website owner is called Hotlinking. Now a days it found to be a common practice.
With all the pieces in place, here’s how to disable hot linking of certain file types on your site, in the case below, images, JavaScript (js) and CSS (css) files on your site. Simply add the below code to your .htaccess file, and upload the file either to your root directory, or a particular subdirectory to localize the effect to just one section of your site:
RewriteEngine on
RewriteCond %HTTP_REFERER !^$
RewriteCond %HTTP_REFERER !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]
Be sure to replace “mydomain.com” with your own. The above code creates a failed request when hot linking of the specified file types occurs. In the case of images, a broken image is shown instead.
Serving alternate content when hot linking is detected
You can set up your .htaccess file to actually serve up different content when hot linking occurs. This is more commonly done with images, such as serving up an Angry Man image in place of the hot linked one. The code for this is:
RewriteEngine on
RewriteCond %HTTP_REFERER !^$
RewriteCond %HTTP_REFERER !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mydomain.com/tutorial.gif [R,L]
Same deal- replace mydomain.com with your own, plus tutorial.gif
WordPress Preconfigured htaccess
Basic WP
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %REQUEST_FILENAME !-f
RewriteCond %REQUEST_FILENAME !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Multisite
WordPress 3.5 and up
If you activated Multisite on WordPress 3.5 or later, use one of these.
Subfolder Example
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %REQUEST_FILENAME -f [OR]
RewriteCond %REQUEST_FILENAME -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
SubDomain Example
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %REQUEST_FILENAME -f [OR]
RewriteCond %REQUEST_FILENAME -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
Joomla Preconfigured htaccess
## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
#
# mod_rewrite in use
RewriteEngine On
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %QUERY_STRING mosConfig_[a-zA-Z_]1,21(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %QUERY_STRING base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %QUERY_STRING (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %QUERY_STRING GLOBALS(=|\[|\%[0-9A-Z]0,2) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %QUERY_STRING _REQUEST(=|\[|\%[0-9A-Z]0,2)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)
# RewriteBase /
########## Begin - Joomla! core SEF Section
#
RewriteCond %REQUEST_FILENAME !-f
RewriteCond %REQUEST_FILENAME !-d
RewriteCond %REQUEST_URI !^/index.php
RewriteCond %REQUEST_URI (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%HTTP:Authorization,L]
#
Drupal htaccess
#
# Apache/PHP/Drupal settings:
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
Order allow,deny
</FilesMatch>
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
# Follow symbolic links in this directory.
Options +FollowSymLinks
# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php
# Force simple error message for requests for non-existent favicon.ico.
<Files favicon.ico>
# There is no end quote below, for compatibility with Apache 1.3.
ErrorDocument 404 "The requested file favicon.ico was not found.
</Files>
# Set the default handler.
DirectoryIndex index.php
# Override PHP settings. More in sites/default/settings.php
# but the following cannot be changed at runtime.
# PHP 4, Apache 1.
<IfModule mod_php4.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_value mbstring.encoding_translation 0
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_value mbstring.encoding_translation 0
</IfModule>
# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_value mbstring.encoding_translation 0
</IfModule>
# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
# Enable expirations.
ExpiresActive On
# Cache all files for 2 weeks after access (A).
ExpiresDefault A1209600
<FilesMatch \.php$>
# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves. Otherwise all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off
</FilesMatch>
</IfModule>
# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# adapt and uncomment the following:
# RewriteCond %HTTP_HOST ^example\.com$ [NC]
# RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
#
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/... will be redirected to http://example.com/...)
# uncomment and adapt the following:
# RewriteCond %HTTP_HOST ^www\.example\.com$ [NC]
# RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
# RewriteBase /drupal
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /
# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %REQUEST_FILENAME !-f
RewriteCond %REQUEST_FILENAME !-d
RewriteCond %REQUEST_URI !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
</IfModule>
# $Id: .htaccess,v 1.90.2.5 2010/02/02 07:25:22 dries Exp $
Ultimate Guide and tutorial for .htaccess Files
No comments:
Post a Comment