Configure and Control with .htaccess

If you have a website with Freeola, or any other hosting firm, chances are you don't have direct access to the server's configuration files. They're likely locked down by the host's admin staff to stop people running riot with changes. Fair enough. But there is a way that lets you change server-wide settings for your site, without needing administrator privileges on the server. It's called an .htaccess file.

What is an .htaccess file?

An .htaccess (hypertext access) file allows you to configure your site for certain server-side settings, even if you don't own the whole server. Basically, even though your website is hosted by someone else, you still have some control over the web server settings.

'Web server settings' - sounds complex. What does that actually mean?

You can do all sorts of cool stuff with the .htaccess file.

- You can create custom error pages that will show when you get 404 / 403 / 501 error messages. Instead of the browser default, you can set them to go anywhere you want - maybe a page with a search box if the address typed is invalid, or a login page if you get a '403 - Forbidden' error.

- You can password protect areas of your site that only people with user IDs and passwords can access

- If someone tries to hotlink any of your content, you can serve a warning instead. Hotlinking is when someone links to an image on your site, rather than hosting it themselves, and costs you bandwidth whenever someone loads up the other person's page.

- Change file extensions for your dynamic pages to whatever you like - so you can create cool RSS feeds that are dynamic, by associating your dynamic page types (for me, PHP) with the .xml format

- Redirect users from one page to another - for example allowing users to type your web address without the 'www.', or pointing people from the home page to a new site

-Deny certain users from accessing your site - by domain name (e.g. www.spammer.com) or by IP address (e.g. 101.45.43.2)

-You can stop people from viewing the 'directories' or file structures of the various folders of your website

What I'll Cover...

1) How to create your own .htaccess file
2) How to redirect users
3) How to serve custom error pages
4) How to block or allow IPs and domains
5) How to block people viewing the folder structures of your site
6) How to stop hotlinking of your content and serve them a 'warning' ;)
7) How to associate file extensions
8) How to password protect folders

What You Need...

- Webspace of some sort
- A webhost that supports '.htaccess'
- A text editor (I use 'Notepad')

============================================
What you need to know - PLEASE READ

- These commands are all fairly simple, and by following the instructions and taking things 1 step at a time your site will be fine. However, if you're not hugely familiar with managing websites / servers, or want to double check anything, do post below or let me know (my address at the bottom of the page)

- If I put any content inside < this kind of 'angle brackets’ > then it means it's something YOU have to change with your own content. For example:

ErrorDocument <error number> <error document path>

means '<error number>' and '<error document path>' need to be edited by you. This could be:

ErrorDocument 501 /errors/501.php

See what I did there? My '<error number>' was '501', and my '<error document path>' was '/errors/501.php'.

Right, let’s get started...
===========================================

1) How to create your own .htaccess file

- Open up your text editor of choice
- Save a blank file, using the filename .htaccess
- Make sure when you save in Notepad to change the 'Save as type' dropdown to 'All Files'. This will ensure that it is saved as .htaccess, and not .htaccess.txt
- If you close the file, then try and open it from wherever you saved it, Windows might ask you want program to use to open .HTACCESS files - this is good! Choose 'Select a program from a list of installed programs', then select 'Notepad'
- Great! You've got a blank .htaccess file.
- Once you're ready to go, upload this file (in ASCII mode of your FTP program) to the top level directory of your website (except for 'Howto #8' - explained below)

TOP TIP For every new command in your .htaccess file, take a new line!

2) How to redirect users

Probably the easiest thing to do with an .htaccess file – a way to quickly re-direct users from 1 page to another.

Redirect <old file> <new file>

It’s that simple – an example below:

Redirect /oldplace/oldfile.php http://www.synae.co.uk/index.php

3) How to server custom error pages

One of the most common tasks .htaccess files are used for is to redirect visitors on your site to custom error pages. To do this, type or copy the following into your .htaccess file:

ErrorDocument <error number> <error document path>

where <error number> is one of the HTTP4.0 standard error numbers, such as:

'400' (Bad Request)
'401' (Unauthorized)
'402' (Payment Required)
'403' (Forbidden)
'404' (Not Found)

and <error document path> is the webpage you want to show instead. For my website, it's '/errordocs/404.php'. That means, for me, the custom error line is:

ErrorDocument 404 /errordocs/404.php

You can do this for all the standard errors!

4) How to block or allow IPs and domains

You can quickly and easily blacklist, of even whitelist, IPs and domains to your site using the .htaccess file. Here's how:

order allow,deny
deny from .freeola.com
deny from de.synae.co.uk
allow from 255.254.253.252

This would block all freeola.com domain and subdomains, the subdomain 'de.synae.co.uk', and allow only from the specified IP address '255.254.253.252'. Obviously that example is pointless (no need to deny anyone if you're only allowing 1 IP address) but you can see the possibilities...

Whitelist only website:

order allow,deny
allow from 101.0.0.0

- this allows access only to IP addresses from 101.0.0.0 to 101.255.255.255.

Blacklist websites:

order allow,deny
deny from .spammer.com

- this denies access to anything from .spammer.com/

5) How to block people viewing the folder structures of your site

A simple one this. Don't want people to check out the files that make up your site? Or to just randomly download whatever media they please? Add in:

IndexIgnore *

You can be more granular, and specify what file extensions to ignore, like this:

IndexIgnore *.jpg *.png *.mov

will list everything EXCEPT jpgs, pngs, and movs.

6) How to stop hotlinking of your content and serve them a 'warning' ;)


Nobody likes having their content hotlinked. It's effectively stealing bandwidth, and it's just not cool. But how can we stop the pesky bandwidth bandits? Your top-level .htaccess file, of course.

TOP TIP MAKE SURE and use the main .htaccess file, that is, the one with the error documents mentioned, and not the password protect one!

Just type the following in the .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?<your domain name>/.*$ [NC]
RewriteRule .(gif|jpg|avi|png|tif|mov)$ http://www.<your domain name>/<your image> [R,L]

replacing <your domain name> with your domain, and <your image> with whatever picture you want to show if people do try to hotlink you. So for me:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?synae.co.uk/.*$ [NC]
RewriteRule .(gif|jpg|avi|png|tif|mov)$  http://www.synae.co.uk/uploads/getlost.gif [R,L]

See the bit (gif|jpg|avi|png|tif|mov)? You can add in any file extension you like here, and it'll be blocked.

7) How to associate file extensions

Want to create your own crazy file extensions? Or associate one file extension with another? This can allow you to make dynamic XML RSS feeds, or PHP pages that have a file extension .girlypants. Whatever takes your fancy...

To do this, simply type:

AddType <type 1> <type 2>

Where <type 1> is the type that <type 2> should become. So, for me:

AddType application/x-httpd-php .xml

makes .xml pages get treated as .php compatible. Yay dynamic code! Note that <type 1> is in the form of the MIME type, some examples of which can be found here

8) How to password protect folders

There are 4 basic steps to password protection using .htaccess:

A) Create a new .htaccess file for the directory you want to protect.
B) Create a new .htpasswd file with the usernames and passwords of people who can access this directory.
C) Upload .htaccess  to the directory you want to protect.
D) Upload .htpasswd  to a SAFE directory that isn’t accessible on the web

Step A) is easy - just do it the same way as before. Step B) is almost as easy - just call the file .htpasswd instead of .htaccess. Steps C) and D) is as just a case of transferring the files to your webspace, in the right places

Inside the new .htaccess file, type:

AuthUserFile <full path to .htpasswd>
AuthType Basic
AuthName "<area name>"
Require valid-user

where <full path to .htpasswd> is the full directory path to the .htpasswd file - you'll probably need to ask your web server admin for this information, or check on their hosting FAQs. <area name> is just the name of the section you want to be 'special users only'. So, for me:

AuthUserFile /home39c/sub001/sc30718-XHYM/notTelling/.htpasswd
AuthType Basic
AuthName "FORBIDDEN AREA"
Require valid-user

The .htpasswd file is even more simple. Each line is:

<username>:<encrypted password>

So, for example:

phuzzy:54tregrfg4tgrebgf

But how do I get an encrypted password? Easy. Generate them  here

Insert all of the username / password combinations inside the .htpasswd file, like this:

phuzzy:$apr1$kwmc2/.. $q9thjOSKSwExNBi1

Finally upload to the directory you want to protect, and it'll then be locked!

In conclusion

.htaccess is a powerful way to change settings on your server, without the stress of hosting a website on your own server. However, what’s included here is only a snapshop of the things you can do. I’ll post on the more advanced features soon, but as a starting point, you can look at the Apache web server ‘.htaccess’ documentation for more info on how to best use the file:

Apache .htaccess Information

Thanks,

Phuzzy

===================================
If you’ve spotted an error, require clarification or need a hand, please just post and let me know, or give me a shout on paul [at] synae [dot] co [dot] uk