Apache .htaccess Micro-Howto

The Apache web server software enables users to configure many parameters in .htaccess files. These files are regular text files, containing Apache configuration directives, and they can be placed anywhere under your ~/www/ tree. This micro-howto will explore, in a rather compressed manner, some frequently used directives.

Note: While users of dedicated web servers under our Advanced and Corporate packages may prefer to place these directive directly in their httpd.conf, the syntax remains the same.


The directives of an .htaccess file are processed recursively. They apply not only to the directory in which the .htaccess file is placed, but also to its subdirectories.


Comments can be inserted using the "#" character at the beginning of a line.

Password protection for directories

Basic password authentication is useful when you want to restrict access to a directory based on usernames and passwords. A protected area will cause the visitor's browser to prompt for a password. Where security is important, basic authentication should always be combined with the use of SSL (using basic authentication without SSL would expose the password).

  AuthName "restricted stuff"
  AuthType Basic
  AuthUserFile /home/myself/private/stuff.pw
  Require valid-user

The AuthName can be any text. It will be displayed as the user enters the password.

The AuthUserFile directive designates the text file which will hold the username/password pairs. This file can be placed anywhere in your home directory. In this example, the file is placed in ~/private/stuff.pw.

You can generate and update the AuthUserFile using the htpasswd utility. Use the -c flag when first creating the file. The last command-line argument is the login name to create (or whose password is being updated).

  $ htpasswd -c ~/private/stuff.pw newlogin1
  $ htpasswd ~/private/stuff.pw newlogin2
Blocking requests from specific addresses

The Deny from directive can block service to a specific IP address, domain name or block:

  Deny from
  Deny from 1.2.3.

Alternatively -

  <Limit GET>
  Order deny,allow
  Allow from all

Note that blocking an IP address using this method is not a proper way to deal with abuse! It is generally a bad policy to block clients based solely on their IP address.

Custom error documents

You may create and use your own custom error documents, to display in response to errors such as requests to non-existant files, by using the ErrorDocument directive. Please craft these error documents, so as to occupy minimal hard drive space and without incorporating images, since things like computer worms may generate massive amounts of hits to ErrorDocuments quickly. Never declare a URL as the destination for the ErrorDocument!

  ErrorDocument 404 errors/notfound.html
  ErrorDocument 403 errors/forbidden.html
  ErrorDocument 500 errors/servererror.html
Controlling directory listings

If there is not index file in a directory (and this directory is readable by the web server), a directory index will be automatically generated. To disable this feature, use:

  Options -Indexes

Specific files can be removed from the listing as well. To selectively block the listing of any README file and all *.gif images, use IndexIgnore:

  IndexIgnore README *.gif
Configuring file extension mappings

To override the default file associations and reorient the mapping of given file extensions to user-specificied handlers, the AddHandler directive can be invoked

Suppose that all .html files in the current directory and subdirectories are to be executed as PHP scripts (assuming that they actually are PHP scripts!), you can use:

  AddType application/x-httpd-php .html

It is possible with the AddType directive to project a given filename onto a specific MIME type. To force the mapping of all files with the .foo extension onto the application/x-foo-type type, use:

  AddType application/x-foo-type .foo

We regularly register new default MIME types. If you think a given MIME type is worthy of server-wide recognition, please let us know!

Content negotiation

HTTP/1.1 compliant browsers have the ability to request web pages and other resources in different languages and character encodings. The Apache mod_negotiation module provides an option called MultiViews to enable implicit filename pattern matching.

  Options +MultiViews

For example, if a browser requests index.html, there is no file named as such, the web server will look for index.html.en, index.html.fr and so on, depending on the user's language preferences.

Some useful links

© 2024 CubeSoft Communications
All Rights Reserved.