A .htaccess (hypertext access) file is a directory-level plain text configuration file for web servers, which, in simple terms, controls access to a certain directory in your server. The use of .htaccess files became popular because they could be used to override global level server settings related to access of directories. However, in recent times, .htaccess can override many other configuration settings.<\/p>\n
Several modern web servers like Apache support .htaccess or related files. Although some other popular servers like Nginx do not have a direct support for .htaccess files, there are ways by which we can convert .htaccess rules to work in Nginx.<\/p>\n
.htaccess rules apply to a directory and all its subdirectories, unless there are more .htaccess files present within the sub-directories. The permissions of the .htaccess should be such that it allows universal read access but user only write access.<\/p>\n
.htaccess files are read on every request. Therefore, any changes to these files result in immediate effect, unlike the global settings, which require the server to be restarted. Also, the .htaccess files enables each user to set their permissions for a server with many users.<\/p>\n
There is a big catch, though. Since every request requires the web server to read all .htaccess files, it can lead to performance issues if there is a considerable load. Also, decentralizing the settings to different users can lead to security issues, especially if the .htaccess files are not configured properly.<\/p>\n
If you want to make changes to a .htaccess file, make sure you keep a backup as a slight syntax error can bring the server down. It is also advisable to put appropriate comments when changing .htaccess files.<\/p>\n
Listed here are a few practical things that you can do with .htaccess files.<\/p>\n
Hotlinking is a process where one web site links directly to an object on another site. The object might be an image, an audio or a video file. Although it doesn\u2019t really hurt for your site\u2019s content to be on another, the downside is a significant amount of your bandwidth that this process eats up!<\/p>\n
Any post on .htaccess would be incomplete without mentioning how we can prevent hotlinking using a simple text file! All you need to do is add the following to your .htaccess files.<\/p>\n
\u00a0 \u00a0 RewriteEngine on Let\u2019s try and understand what this code means. We first turn on the RewriteEngine<\/a> so that we can redirect requests to a different URL. RewriteCond<\/a> is a directive that takes in two arguments TestString and CondPattern. ${HTTP_REFERER} is a variable that stores the domain from which the request is coming. We try to match it with a pattern to make sure it\u2019s from your site. The (www\\.)? is to make sure that both the forms www.yoursite.com and yoursite.com are allowed. NC tells the system to ignore casing, F shows a 403 forbidden error \u00a0and L tells the system to stop rewriting.<\/p>\n You can also add an alternate image on hotlinking.<\/p>\n \u00a0\u00a0\u00a0RewriteRule \\.(jpg|png|gif)$ http:\/\/<path_to_your_hotlinked_image> [NC,R,L]<\/em><\/p>\n The R rule here redirects the request.<\/p>\n The .htaccess file\u2019s basic use is to allow or block access to a certain directory. You can configure it to selectively allow or disallow requests from a certain user.<\/p>\n If you find that a spammer has been bothering you, or someone has been trying to scrape your content, you can block their IP address by adding the following-<\/p>\n \u00a0\u00a0\u00a0Order Deny<\/em> You can also redirect such users to a certain URL.<\/p>\n \u00a0\u00a0\u00a0RewriteCond %{REMOTE_ADDR} 192\\.168\\.121\\.<\/em> For security purposes, you might sometimes need to selectively allow only certain IP addresses to a certain location. For instance, you might want only your IP to access the admin area of your site. In such cases, you block requests from all IPs and selectively add your IPs to the whitelist.<\/p>\n \u00a0 \u00a0 order deny,allow<\/em> The process of blocking and allowing users can also be done using a firewall (like ufw).<\/p>\n It might so happen that opening a certain path on the browser lists the directory structure in it (in the absence of an index.html file). For security reasons, it is considered a good idea to restrict this. To make this happen, you just need to add a single line to your .htaccess file.<\/p>\n \u00a0\u00a0\u00a0Options -Indexes<\/em><\/p>\n Doing so shows a Forbidden page when you try to view the directory structure.<\/p>\n Although this is possible with most of the popular CMS or frameworks, the easiest way to show a custom 404 or 500 error pages are through simple changes in the .htaccess files.<\/p>\n \u00a0\u00a0\u00a0ErrorDocument 404 <\/em><\/p>\n Search engines treat www.yoursite.com\/something and www.yoursite.com\/something\/ as two different URLs even though they may point to the exact same thing. The Google Webmasters<\/a> Blog advises that the best way to go about this problem is for the non-slash version to redirect to the slash version. Search engines, thus, would understand that it\u2019s the same content that they are pointing to!<\/p>\n
\n<\/em>\u00a0 \u00a0 RewriteCond %{HTTP_REFERER} !^$
\n<\/em>\u00a0 \u00a0 #domains that can link to your content (images here)
\n<\/em>\u00a0 \u00a0 #add as many as you want
\n<\/em>\u00a0 \u00a0 \u00a0RewriteCond %{HTTP_REFERER} !^http(s)?:\/\/(www\\.)?yoursite.com [NC]
\n<\/em>\u00a0 \u00a0 \u00a0#show no image when hotlinked
\n<\/em>\u00a0 \u00a0 \u00a0RewriteRule \\.(jpg|png|gif)$ \u2013 [NC,F,L]<\/em><\/p>\nBlock\/Allowing Users from a certain IP address:<\/h2>\n
\n\u00a0 \u00a0Deny from 192.168.121.45<\/em><\/p>\n
\n\u00a0 \u00a0RewriteRule .* https:\/\/google.com [R,L]<\/em><\/p>\n
\n\u00a0 \u00a0 Deny from all<\/em>
\n\u00a0 \u00a0 # whitelist IP Address 1<\/em>
\n\u00a0 \u00a0 allow from xx.xxx.xx.xx<\/em>
\n\u00a0 \u00a0 #whitelist IP Address 2<\/em>
\n\u00a0 \u00a0 allow from xx.xxx.xx.xx<\/em><\/p>\nHiding Directory Listing:<\/h2>\n
Display Custom Error Pages<\/h2>\n
Force trailing slash<\/h2>\n