The Apache web server software enables users to configure many parameters in .htaccess files. These files are regular text files, containing Apache configuration directives, and they can be placed anywhere under your ~/www/ tree. This micro-howto will explore, in a rather compressed manner, some frequently used directives.
Note: While users of dedicated web servers under our Advanced and Corporate packages may prefer to place these directive directly in their httpd.conf, the syntax remains the same.
The directives of an .htaccess file are processed recursively. They apply not only to the directory in which the .htaccess file is placed, but also to its subdirectories.
Comments can be inserted using the "#" character at the beginning of a line.
Basic password authentication is useful when you want to restrict access to a directory based on usernames and passwords. A protected area will cause the visitor's browser to prompt for a password. Where security is important, basic authentication should always be combined with the use of SSL (using basic authentication without SSL would expose the password).
AuthName "restricted stuff" AuthType Basic AuthUserFile /home/myself/private/stuff.pw Require valid-user
The AuthName can be any text. It will be displayed as the user enters the password.
The AuthUserFile directive designates the text file which will hold the username/password pairs. This file can be placed anywhere in your home directory. In this example, the file is placed in ~/private/stuff.pw.
You can generate and update the AuthUserFile using the htpasswd(1) utility. Use the
-c flag when first creating the file. The last command-line argument is the login name to create (or whose password is being updated).
$ htpasswd -c ~/private/stuff.pw newlogin1 $ htpasswd ~/private/stuff.pw newlogin2
Deny from directive can block service to a specific IP address, domain name or block:
Deny from 10.0.0.1 Deny from 1.2.3.
<Limit GET> Order deny,allow 10.0.0.1 1.2.3. Allow from all </Limit>
Note that blocking an IP address using this method is not a proper way to deal with abuse! It is generally a bad policy to block clients based solely on their IP address.
You may create and use your own custom error documents, to display in response to errors such as requests to non-existant files, by using the ErrorDocument directive. Please craft these error documents, so as to occupy minimal hard drive space and without incorporating images, since things like computer worms may generate massive amounts of hits to ErrorDocuments quickly. Never declare a URL as the destination for the ErrorDocument!
ErrorDocument 404 errors/notfound.html ErrorDocument 403 errors/forbidden.html ErrorDocument 500 errors/servererror.html
If there is not index file in a directory (and this directory is readable by the web server), a directory index will be automatically generated. To disable this feature, use:
Specific files can be removed from the listing as well. To selectively block the listing of any README file and all *.gif images, use IndexIgnore:
IndexIgnore README *.gif
To override the default file associations and reorient the mapping of given file extensions to user-specificied handlers, the AddHandler directive can be invoked
Suppose that all .html files in the current directory and subdirectories are to be executed as PHP scripts (assuming that they actually are PHP scripts!), you can use:
AddType application/x-httpd-php .html
AddType application/x-foo-type .foo
We regularly register new default MIME types. If you think a given MIME type is worthy of server-wide recognition, please let us know!
HTTP/1.1 compliant browsers have the ability to request web pages and other resources in different languages and character encodings. The Apache mod_negotiation module provides an option called
MultiViews to enable implicit filename pattern matching.
For example, if a browser requests index.html, there is no file named as such, the web server will look for index.html.en, index.html.fr and so on, depending on the user's language preferences.