htaccess file - settings and examples of use. Trying again to create an almost perfect htaccess
Apache- The most common HTTP server. Distributed free of charge, including source code. Scripts supported CGI(including FastCGI), PHP, Perl, Java. Authentication - basic, message-digest, TLS (SSL). Since April 1996 it is the most popular HTTP server on the Internet, in August 2007 it was running on 51% of all web servers.
.htaccess- additional web server configuration file Apache, as well as similar servers. Allows you to specify a large number additional parameters and permissions for running the web server for individual users (as well as on various folders of individual users), such as controlled directory access, reassigning file types etc., without providing access to the main configuration file, i.e. without affecting the operation of the entire service.
.htaccess is a likeness httpd.conf with the difference that it only affects the directory in which it is located and its child directories. Possibility of use .htaccess present in any user directory.
File .htaccess can be placed in any directory on the site. The directives of this file affect all files in the current directory and all its subdirectories (unless these directives are overridden by directives of underlying files .htaccess).
Directives .htaccess provide the user wide choose options for customizing your website, including:
|
|
A list of all available directives can be viewed.
Describes the client's preferences regarding the type of document.
Visitor's IP address.
The visitor's address in normal form - for example, rt99.net.ru .
Remote user name. Has the format name.host, for example, kondr.www.rtt99.net.ru
Same as REMOTE_IDENT, but contains only the name. Example: kondra
Allows you to determine the type of request (GET or POST). Must be analyzed, because defines further method information processing.
Full path to the web page on the server.
Contains everything that was passed into the script.
Contains the string passed as a request when calling CGI script.
Used to identify the user
Contains the path to the server root directory.
Mailing address server owner specified during installation.
Your website's IP address.
The port on which Apache is running.
Version HTTP protocol.
Server name, for example, Apache/1.3.2 (Unix)
TIME_MON
TIME_DAY
TIME_HOUR
TIME_MIN
TIME_SEC
TIME_WDAY
TIME
Variables designed to work with time in different formats.
This is the version API module Apache(internal interface between the server and the module) in the current server build, which is defined in include/ap_mmn.h.
Full line HTTP-request sent by the browser to the server (i.e., "GET /index.html HTTP/1.1"). It does not include any additional headers sent by the browser.
The resource requested in the HTTP request line.
The full path in the server file system to the file or script that matches this request.
A condition is a condition template, i.e. any regular expression applied to the current instance of the "String being compared", i.e. The "Compared String" is searched for a match to the Condition.
Remember that the condition is perl-compatible regular expression with some additions:
All of these checks can also be prefixed with an exclamation point ("!") to invert their meaning.
RewriteEngine turns the conversion mechanism on or off. If it is set to off, this module does not work at all. Note that by default, transform settings are not inherited. This means that you must have a RewriteEngine on directive for each virtual host in which you want to use this module.
Syntax RewriteEngine as follows:
Use to combine conditions in rules OR instead of AND. A typical example is redirecting requests for subdomains to separate directories.
To display different sites for different browsers, according to "User-Agent:" request header, you can use the following directives:
In substitution, you can also use special flags by adding the directive as the third argument RewriteRule. Flags is the following comma separated list of flags:
"redirect|R [=code]"
(causes a redirect)
Prefix in View Substitution http://thishost[:thisport]/(creating a new URL from any URI) starts an external redirect (redirection). If there is no code, in the substitution the answer will be with HTTP status 302 (TEMPORARILY MOVED). To stop the conversion process you also need to write a flag "L".
"forbidden|F [=code]"
(makes the URL prohibited)
This is what the current one does URL prohibited, for example, a response is immediately sent to the client with HTTP status 403 (PROBILED). Use this flag in combination with the appropriate RewriteConds for blocking URL according to some criteria.
"gone|G [=code]"
(makes the URL "dead")
This flag makes the current URL"dead", i.e., immediately sent HTTP response with status 410 ( GONE). Use this flag to mark pages that no longer exist as "dead".
"proxy|P [=code]"
(calls proxy)
This flag marks the wildcard part as an internal proxy request and immediately (i.e. the conversion process stops here) passes it through the proxy module. Use this flag to achieve a more powerful implementation of the directive ProxyPass, integrating some content on remote servers to the local server namespace.
"last|L [=code]"
(last rule)
Stop the conversion process at this point and do not apply any further conversion rules. Use this flag to not convert the current URL other subsequent transformation rules.
"next|N [=code]"
(next round)
Restart the transformation process (starting with the first rule). In this case URL again matched to certain conditions, but not original URL, A URL exited from the last conversion rule. Use this flag to restart the conversion process, i.e. unconditional transition to the beginning of the cycle.
"chain|C [=code]"
(connection with the next rule)
This flag links the current rule to the next one (which, in turn, can be linked to the next one, etc.). This has the following effect: if the rule is matched, the process continues as normal, i.e. the flag has no effect. If a rule does not match the condition, all subsequent related rules are skipped.
"type|T=MIME-type [=code]"
(force set MIME type)
Force install MIME type target file in MIME type. For example, this can be used to simulate mod_alias directives ScriptAlias which forces all files inside the displayed directory to set MIME type equal "application/x-httpd-cgi".
"nosubreq|NS [=code]"
(only used in case of non-inner subquery)
This flag instructs the conversion engine to skip the directive if the current subquery is an inner subquery. For example, internal subqueries in Apache occur when mod_include tries to get information about possible files default for directories (index.xxx). With subqueries, this is not always useful and sometimes even causes problems in the operation of a set of transformation directives. Use this flag to exclude some rules.
"nocase|NC [=code]"
(ignore case)
This makes the Pattern case insensitive, i.e. there is no difference between "A-Z" and "a-z" when the Pattern is applied to the current one URL.
"qsappend|QSA [=code]"
(add query string)
This flag instructs the transformation engine to append, rather than replace, query strings from URL to the existing one, in the substitution line. Use this when you want to add additional data to the query string using transformation directives.
"noescape|NE [=code]" This flag does not give mod_rewrite apply normal escaping rules URI to the result of the transformation. Usually, Special symbols(such as "%", "$", ";", and so on) will be escaped by their hexadecimal substitutions ("%25", "%24", and "%3B", respectively); this flag prevents this from happening.
(do not escape the URI when outputting)
If in subdirectories in .htaccess there are no module directives mod_rewrite, then all conversion rules are inherited from the parent directory.
If present in file .htaccess any module directives mod_rewrite nothing is inherited, and the default state is set to the same as in the main configuration file of the web server (default "off"). Therefore, if you need conversion rules for a specific directory, you need to insert the directive again " RewriteEngine on" V .htaccess for a specific directory.
When inheriting rules from upper directories and adding new ones that are unique to this directory, you must set the following at the beginning: " RewriteEngine on" And " RewriteOptions inherit" - the last directive tells the server to continue.
Examples of using mod_rewrite you can see
If you have installed operating system families Windows, You can connect to the server using SSH(connection instructions can be found) and use the utility htpasswd.
Launching htpasswd without parameters we will see:
|
beget@ginger ~ # htpasswd Usage: htpasswd [-cmdps] passwordfile username htpasswd -b passwordfile username password -c Create a new file. beget@ginger ~ # |
All the parameters of this command will not be covered here, but you can read the details for yourself by running htpasswd V unix shell, or by reading the appropriate Apache documentation page.
So, initially we do not yet have a file with passwords and we need to create it:
And now we want to add another user. Since we have a file with passwords has already, we just won't use the "-c" switch:
Pointing valid-user You allow access to all users listed in the password file.
Let's give an example for accessing specific users from a file with passwords .htpasswd
|
|
It should be remembered that with such access restrictions, passwords are transmitted over communication channels in clear text and, under certain circumstances, can be intercepted by attackers. Therefore, for security reasons, it is recommended to organize access to restricted areas of the website through a secure SSL connection.
Allow access from a specific ip: order allow denydeny from all
allow from<ваш ip>In this case, <ваш ip> indicates a specific address.
For example: order allow deny
deny from all
allow from 192.126.12.199
Deny access from a specific ip: order allow deny
deny from all
deny from<ваш ip>Usage <ваш ip>
similar for the example above.
Depending on the order in which the directives are specified, the logic of the server’s operation changes. If Deny, Allow, then access is denied from all IPs except those specified, if Allow, Deny, access is allowed from all IPs except those specified. Next should be description sections for access and prohibition. Keyword all means from everyone IP
For example, we want to deny (block) access from IP 81.222.144.12 and 81.222.144.20 and allow everyone else we need to add to .htaccess the following code:
Order Allow, Deny
Allow from all
Deny from 81.222.144.12, 81.222.144.20
For the reverse situation when we want to deny access from everyone IP in addition to 81.222.144.12 and 81.222.144.20 we need to add to .htaccess the following code:
Order Deny,Allow
Deny from all
Allow from 81.222.144.12, 81.222.144.20
To allow only specific hosts or groups of hosts to access the server, the host can be specified in any of the following formats:
- for a domain name (or part of it): Allow from apache.org
Allow from .net example.edu - for ip address: Allow from 10.1.2.3
Allow from 192.168.1.104 192.168.1.205 - for part of the ip address:
Allow from 10.1
Allow from 10 172.20 192.168.2 - for network/mask pair: Allow from 10.1.0.0/255.255.0.0
- for network/nnn CIDR specifications:
Allow from 10.1.0.0/16
Ban a group of files by mask:
order allow,deny
deny from all
For example, denying access to files with "inc" extensions for web visitors:
order allow,deny
deny from all
In this example, the Apache web server itself can access files with such extensions.
Ban on a specific file:
You can block a specific file by its name and extension.
order allow,deny
deny from all
Directory password: AuthName "Private zone"
AuthType Basic
require valid-user
The AuthName value will be displayed to the visitor and can be used to clarify the authorization request. The AuthUserFile value indicates the location where the file with passwords for accessing this directory is stored. This file is created special utility htpasswd.exe.
For example, in a directory that is protected with a password, we create the following .htaccess: AuthName "For Registered Users Only"
AuthType Basic
AuthUserFile /pub/site.ru/.htpasswd
require valid-user
In this example, when a visitor requests a directory, he will read the phrase “For Registered Users Only”; the file with access passwords should be in the /pub/site.ru/ directory and called.htapasswd. The directory is specified from the server root; if you specify the directory incorrectly, Apache will not be able to read the .htpasswd file and no one will have access to this directory.
Password for only 1 file:Tue Feb 09 2010 15:44:59 GMT+0300
Similar to passwording a whole directory, you can put a password on only 1 file.
An example of setting a password for the private.zip file:
AuthName "Users zone"
AuthType Basic
AuthUserFile /pub/home/your_login/.htpasswd
Password for a group of files:
Likewise, using
An example of setting a password for access to all files with the "sql" extension:
AuthName "Users zone"
AuthType Basic
AuthUserFile /pub/home/your_login/.htpasswd
- Tutorial
Google ranks sites that load faster higher. - If eBay or Amazone increase page loading time by 9%, they lose 1% of profit. - Make your website faster to save on client traffic and the number of calls to the server.
.htaccess is our hero
Professionals know what htaccess is.Those who are planning to leave Narod.ru for PHP hosting just have to find out what it is.
Those who have just installed their first jooml or wordpress should urgently learn about our hero - htaccess
Why do we need .htaccess ?
Imagine that you bought yourself hosting and it seems that you have almost found happiness. But one day (or maybe twice, maybe three times) your site stops responding. It starts to load slowly and generally behave strangely. And virtual hosting is such a tricky thing that in addition to your site, there are two dozen other sites on this server. They are all different in power, organization and traffic. And when your neighbor, by accident, or maybe on purpose, launches complex or redundant scripts on his hosting, this also affects you.Or another example. Let’s say your resource is starting to gain popularity, but it’s too early to move to a dedicated server, and the VPS capacity is no longer enough. htaccess can really help you out.
And htaccess can also solve some security issues for your site.
I want the perfect .htaccess!
It turns out there is a lot of different conflicting information on the Internet regarding how to use .htaccess. I had to experiment long and tediously to understand what is true and what is false. In most cases, the authors of advice in their blogs forget to mention that for certain conditions to work, one or another Apache module is needed.However, enough words, it’s time to get down to business. Let's try to create an almost perfect .htaccess
1. The first line sets the main options:
Using options is very convenient when you do not have access to Apache configuration or need different Apache settings for different sites on the same server.
The -ExecCGI option prevents the execution of CGI scripts. It is better to allow only for specific folders. Will increase security.
The -Indexes option prevents the contents of directories from being shown if they do not contain an index file. On shared hosting it is usually enabled by default. By changing the minus to plus +Indexes, you can, on the contrary, allow viewing the contents of the directory (or directories).
The -Includes option disables SSI. If you don’t know what it is, prohibit it (You can use Yandex(!) upon request Server Side Include if you want to know more about it). You can use the IncludesNOEXEC option, which will allow SSI to be used without running scripts.
The +FollowSymLinks option allows you to use symbolic links to files or directories that are not within the root of your site.
Note
You can use htaccess with different settings for different directories. In the root of the site you can declare -Indexes, and in selected directories create another .htaccess file and declare +Indexes in it. Remember that the effect of htaccess options propagates from top to bottom of the directory tree to the deepest nesting until they are overridden by another htaccess.
It is not necessary to fully list all options in child.htaccess if they do not change. It is enough to specify (reassign) only those options and directives that change. The remaining options will also be inherited from the parent.
Example
Let's say you have this path /site/folder_one/subfolder/other/
In the /site/.htaccess file you specify:
Options -Indexes Allow from all
In the /site/folder_one/.htaccess file you specify:
Deny from all
In the file /site/folder_one/subfolder/.htaccess you specify:
Options +Indexes Allow from all
This is what you get:
The site folder will display files of any content, unless you access them directly. Or an index file, if there is no explicit access to one of the files. If the index file is missing, a 403 error is received.
Access to the folder_one folder is closed. Even if you know the file name and type it into address bar the server will respond with a 403 error.
The subfolder folder is allowed for direct access or, in the absence of an index file, will show the contents of the directory. The same rights apply to the other folder.
If you remove the htaccess file from the folder_one folder, it will inherit the rights from the parent site.
2. A little SEO (where would we be without it)
Be sure not to forget about the condition
This part is more useful for SEO. The rewrite module, as its name suggests, deals with redirections (hi Cap).
In this part of the file, we indicated two merges: we merged your_site and www.your_site. Even if the user types your site without WWW, it will be redirected with a 301 redirect to www.your_site.
We also got rid of /index.php in the query string. If the user types www.your_site/index.php it will redirect him (again with a 301 redirect) to www.your_site.
Now search engines will not get confused between www and will not duplicate the main page in the indexing results of your site. Google SEO domain gluing if you don’t understand why it’s needed.
3. Who is in charge of the folder?
If you have files index.html and index.php in your folder (I don’t know why and who needed this, but I’ve seen this more than once), then how can you tell the server which of them is more indexed?
DirectoryIndex index.php
You can also specify there, say roosso.php, and then by typing the address site.blah/blah/blah/ in the query line you will see not index, but roosso
4. More settings...
The first line sets the time zone. For example, in Apache 2.22.22 there was a bug associated with this option. The time functions in php did not work until you set the time zone.
The second line is the server signature. You have seen them more than once on all sorts of system pages such as the 500th error or 403rd. There's usually some kind of Technical information and webmaster's email. I prefer to hide data about the software on the server even in such small things. My paranoid colleagues will support me.
Guess what the third line does?
5. When there is no access to php.ini
Using .htaccess we can also manage a number of PHP settings. On shared hosting, as a rule, it is not possible to change php.ini settings. Most often this is not required. But there are still a number of control options that can be useful to us. For example, increase the limit on file uploads, or the transfer limit using this POST method.
The first line allows you to upload files up to 32 Megabytes in size. The default in php is usually 8 or 16 megabytes.
The second line allows posting up to 10 megabytes. The default value is usually 2 Megabytes.
The third line sets the encoding used by your scripts. At its core, it duplicates the line: “AddDefaultCharset UTF-8”. But I often resort to setting the encoding via PHP.
The fourth line changes the time limit allocated for script execution. By default it is usually 30 seconds. But sometimes some complex processing requires more time.
6. File types. Sleight of hand and no fraud.
In my practice, it happened a couple of times that after some update by the software provider, file types disappeared. Although this is rare. In 10 years, only two cases. But sometimes I needed to make html work like php. And sometimes you need to teach Apache to distinguish between file types that it does not know. (As it turned out, Apache generally knows little about rare file types.) In such a situation, the following code will save us:
AddHandler application/x-httpd-php .html AddHandler cgi-script .pl .py .jsp .asp .htm .shtml .sh .cgi AddType application/x-javascript .js AddType text/css .css AddType text/xml .xml AddType application/octet-stream .doc .mov .avi .pdf .xls # ForceType application/x-httpd-php
The first line will allow our php files to have html extension, but executed as php. It is useful in many cases. And in the good old days, when search engines indexed CNC better, such a line always came to the rescue.
We can reassign, add or replace any file types to suit the permissions that suit us.
Interesting trick
By the way, you can easily write, for example, this line:
AddHandler application/x-httpd-php .i
Then rename all your files, changing the extension to .i (not forgetting about the links, of course) and the addresses of the files on your site will not be site.my/index.php?uri but site.my/index.i?uri
For example I write
AddHandler application/x-httpd-php .roosso
and I create a file alex.roosso in the root of my site inside the usual PHP code. This is kind of like a page about my beloved. And in the address bar it will look like www.black-web.ru/alex.roosso (the link is working, you can see that it is so).
The second line specifies which file extensions should be executed as cgi scripts.
The third, fourth and fifth lines, just in case, specify the mime type of files with css, js, xml resolution. Do not confuse this with assigning a header in the server's response to a request, as is done in the first two lines.
The sixth line of this section is needed if your site has content downloadable for users. If you add this line, then when accessing these files they will be prompted to download them to the computer, and not as it is now in modern browsers a bunch of plugins that even open Word in the browser.
I commented out the seventh line. This line is forced and voluntary, all files from your server will be launched as php. It is better to use it only in separate folders, if necessary.
7. Adults and children know that archives weigh less...
Useful for making your pages load faster. That's why people came up with the idea of archiving files. And then they thought some more and decided that they could archive both pages on websites and pictures. And do this unnoticed by the user, but significantly reduce traffic and speed up page loading. Magic words sounded, now let’s discuss how this can be done.
Apache has two compression modules. Both are not default modules, so may not necessarily be present with your provider. But as practice has shown, 99% of providers have one of them. The most common is mod_deflate. To use it to compress all content on your site, add the following lines to .htaccess:
As you can see, we must list the mime type of files that should be compressed. You can add videos and pictures here, but this will be of little use. Because jpeg or gif are already compressed formats. Just like avi or flv. You actually have nothing to gain by listing them.
The second less popular module is mod_gzip. To enable compression using it, add these lines:
This module can work with masks, which is undoubtedly a big plus. And its syntax is much more flexible than the previous one. But it is used less often. And based on compression, I don’t even dare to judge which module is better. I big difference I didn't notice it during tests.
8. Can you do it even faster?
Can. If you use page caching. Caching has both pros and cons, so you need to approach this issue with preparation. For a site that is dynamically updated every 2-3 minutes, for example a popular forum, you need to take into account that the user must see the latest information. But every website has content that is more or less static. For example, the same pictures, or style files. Therefore, we will need to use caching differently for different content on the site. IN html markup we can always use meta tags. And through php we can set server response headers. The question remains, what to do with css, js, image, etc. and so on.
Two modules can help us with this: mod_headers and mod_expires, which can set headers in the server response and tell your browser what and how to cache. One of the modules is usually available from the provider, but as is the case with any module that is not included in the standard Apache build, no one will give you a 100% guarantee. Therefore, again, in order to avoid the 500th error, it specifies the conditions for each of the modules.
This is the syntax for mod_headers. I think it’s clear from the comments what’s what.
In this section I have disabled caching of php files. Although, in my opinion, a short caching time interval will not harm them. 5-30 seconds is a time interval during which little changes. And many users like to use the back key. In order not to load the page a second time, but to pick it up from the cache, a reasonable caching interval is still appropriate.
In the second section, where the conditions for mod_expires are, I do exactly that - for PHP I set a small caching interval.
9. Rules of polite tone...
In the process of modernizing our site, we often leave tails in the form of links that lead to pages that we have deleted. Sometimes such links come from other sites or search engines. In order not to lose users, it is considered polite to have own pages for different types of errors. Including even server errors. For example, the standard message about the 500th error is very boring and gloomy, and is unlikely to make the user want to visit your page again. But htaccess has tricks that can make even this page more welcoming.
# Bad Rquest ErrorDocument 400 /400.html # Authorization Required ErrorDocument 401 /401.html # Forbidden ErrorDocument 403 /403.html # Not found ErrorDocument 404 /404.html # Method Not Allowed ErrorDocument 405 /405.html # Request Timed Out ErrorDocument 408 /408.html # Request URI Too Long ErrorDocument 414 /414.html # Internal Server Error ErrorDocument 500 /500.html # Not Implemented ErrorDocument 501 /501.html # Bad Gateway ErrorDocument 502 /502.html # Service Unavailable ErrorDocument 503 / 503.html # Gateway Timeout ErrorDocument 504 /504.html
For 400 errors you can use and dynamic pages in php. But for 500 it’s better to do it in html and js. This part of the errors is usually associated with server errors (in most cases) and php or cgi usually do not work in such a situation.
If you are too lazy to make so many pages, set the error page to the main page of your site or sitemap.
You do all this exclusively for people. Search robots it doesn’t matter whether you have error pages or not. They see the server response with an error code and block your page from search. So keep in mind, this is not a panacea. This is just a courtesy to your audience and the image of your site.
10. Let's summarize
Connoisseurs understand that not everything is described in this article. I have only touched the surface of the iceberg here. In fact, the capabilities of .htaccess are much more extensive than described in the article. But I did not pursue the goal of translating the htaccess manual into Russian. All I wanted was to create a small skeleton of the .htaccess file for those who have just started studying this issue, in order to save their time searching for information on the Internet.
As a result of all the manipulations, we should have received a file with the following content:
Options All -ExecCGI -Indexes -Includes +FollowSymLinks
11. Afterword.
I tried not to rush into writing the article and it took almost a day. But still somewhere I could make mistakes in spelling or punctuation. I ask you not to execute, but to have mercy. It’s better to write in a personal message so that I can correct the mistakes.
And finally, for those who like to experiment, a few .htaccess lines. Judging from my own experience, knowledge is learned better in practice than in theory.
Nowadays, the Apache web server is used to organize the work of the vast majority of sites on the network. It lags a little in performance, but is very easy to set up and has a huge number of features.
The Apache web server can be configured not only in the main configuration file, but also through .htaccess files. These files are placed in specific folders and tell the web server how to behave in that folder and its subdirectories.
Setting up the htaccess file is very similar to setting up the main file Apache configurations. But it's a little different. With this file you can configure redirects, internal URL changes, access rights, password authorization and much more. In today's article we will look at how to properly configure htaccess for your server.
We have already started the topic in one of the previous articles, but today we will refresh the information a little and look at the htaccess setup in more detail.
All directives from the htaccess file are executed exactly the same as if they were placed in the global configuration file, only inside the directive
The general syntax of directives is very simple, they are pairs of commands and their options separated by a space, for example:
Command parameter1 parameter2 flags
There are quite a lot of commands themselves, and we will look at them using examples of the actions they perform. In addition to the commands themselves, nested structures can be used here, for example, to activate modules or check the availability of a particular module. Now let's move closer to how it's done correct setting htaccess. Let's start with the simplest steps.
Setting up htaccess access
Quite often htaccess is used to control access to a folder. Three commands are used to control access:
- order- order;
- deny- prohibit;
- allow- allow.
First, using the order option, you need to indicate in what order the directives will be executed; only this command has meaning, and it does not matter in what order they are located in the file.
Then, using the allow or deny directive, we allow or deny access to the folder from certain addresses. For example, to disable everything you need to add to htaccess:
Order deny,allow
Deny from all
But we can also allow access only from the local network:
Order deny,allow
Deny from all
Allow 192.168.0.
If deny,allow is specified, then the check will be performed in that order. First, all deny directives, then all allow directives, and if none of the conditions match, then the request is skipped. With allow, deny, such a request will be rejected by default. For example, the previous example could be written like this:
Order allow,deny
Allow 192.168.0.
URL modification in htaccess
The most common use of htaccess is for URL modification at runtime or redirects. The mod_rewrite module is responsible for this functionality and is usually enabled in most Apache configurations.
URL modification in htacces is done using three directives, these are RewriteBase, which specifies the address prefix, RewriteCond checks for compliance, and RewriteRule- changes the URL according to the regular expression if all matching rules match.
First you need to enable Mod_Rewrite, in case the module is not yet active:
RewriteEngine on
We indicate that the root should be used as a prefix for the URL:
And we will automatically replace the URL from index.html to index.php, note that the original URL is the path to the requested file relative to the location of the htaccess file:
RewriteRule index.html/index.php
For more efficient replacement, you can use regular expressions; they consist of special characters and variables and ordinary characters and numbers. Let's look at the main special characters:
- ^ - beginning of the line;
- $ - end of line;
- . - any symbol;
- * - any number of any symbols;
- ? - one specific symbol;
- - a sequence of characters, for example, from 0 to 9;
- | - symbol or, either one group or another is selected;
- () - used to select groups of characters.
In htaccess regular expressions you can also use variables with data obtained from request headers, for example:
- %(HTTP_USER_AGENT)- the User-Agent field, which is transmitted by the user’s browser;
- %(REMOTE_ADDR)- user IP address;
- %(REQUEST_URI)- requested URI;
- %(QUERY_STRING)- query parameters after the ? sign.
These are the most commonly used variables, but there are many more, the rest you can find in the official documentation. Regular expressions open up wider possibilities, for example, you can replace html with php in all pages:
RewriteEngine On;
RewriteBase/;
The RewriteCond directive gives even more flexibility; you can choose which addresses to apply the modification to, for example, we will redefine data only for the version with www:
RewriteBase/;
RewriteCond % (HTTP_HOST) ^www.site.ru$
RewriteRule ^(.*)\.html$ $1.php
This way you can perform any transformations on your URLs without actually redirecting anywhere. But next we will look at how to make redirects.
Setting up redirects in htaccess
Setting up htaccess redirects is done in a similar way, using the same mod_rewrite module, only now instead of modifying the url we specify a flag with the desired action and redirect code.
The simplest redirect can be performed without mod_rewrite, using the following line:
Redirect 301 /index.html http://www.site.ru/index.php
But usually you need redirects with a broader effect. Everything looks very similar, only now we use a flag to ignore case, [L] to stop processing and [R] to redirect. For example, redirecting htaccess from a non-www version to a domain with www:
RewriteCond %(HTTP_HOST) ^site\.ru$
RewriteRule ^(.*)$ http://www.site.ru/$1
The value R=301 means the redirect code that will be returned to the client; you can use 301, 302, etc. An htaccess redirect from the www domain to a domain without a prefix will look like this:
RewriteCond %(HTTP_HOST) ^www.site\.ru$
RewriteRule ^(.*)$ http://site.ru/$1
You can do a redirect in the same way:
RewriteRule ^old_address /new_address/$1
Redirect from http versions on https:
RewriteCond %(SERVER_PORT) ^80$
RewriteCond %(HTTP) =on
RewriteRule ^(.*)$ https://site.ru/$1
Setting up error pages in htaccess
If any errors occur during page generation, the web server issues a short message and error code. But it will be much clearer to users what’s going on if you make a separate page for each error with pictures and a full explanation.
Setting up htaccess for this item will be very useful. You can use the ErrorDocument directive. Using it, you can set HTML pages for errors 4xx and 5xx. For example, for 404:
ErrorDocument 404 http://site.ru/error/404.shtml
ErrorDocument 403 http://site.ru/error/403.shtml
ErrorDocument 401 http://site.ru/error/401.shtml
ErrorDocument 500 http://site.ru/error/500.shtml
Caching in htaccess
The browser allows you to store images, script files, styles and other media files in its cache certain time. The cache lifetime is set by the web server using special headers. They can be configured using the expires module.
First, activate the module and set the default caching period:
Expires Active On
ExpiresDefault "access plus 1 month"
Now we can configure caching for each mime file type:
ExpiresByType text/html "access plus 1 month 15 days 2 hours"
ExpiresByType image/gif "access plus 5 hours 3 minutes"
ExpiresByType image/x-icon "access plus 2592000 seconds"
In the first line we indicate that html pages should be considered valid for one month, 15 days and two hours from the moment of loading. The following file types are available:
- image/x-icon;
- image/jpeg;
- image/png;
- image/gif;
- application/x-shockwave-flash;
- text/css;
- text/javascript;
- application/javascript;
- application/x-javascript;
- text/html;
- application/xhtml+xml;
To be sure that this construction will not cause errors, wrap it in an if:
File compression in htaccess
For compression in Apache, you can use the deflate module. Here it is enough to simply list the mime types of files that need to be compressed. For example:
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/css text/javascript application/javascript application/x-javascript
You can also enclose an if statement to check if the module is supported:
conclusions
In this article we looked at how to configure the htaccess file for proper operation your site. All actions are not so difficult to perform. It is enough to copy a few lines and correct them to suit your needs. If you have any questions, ask in the comments!
To finish, I offer a video with an overview of the Apache configuration file:
165
In the web programming environment, the .htaccess file is often used when hosting sites managed by Apache server. This is very useful file, which allows you to define undefined or override options defined in httpd.conf or apache.conf for a specific site or directory of this site.
The file affects the current directory (where it is located) and all directories “below”, i.e. all child directories, unless they have their own .htaccess file defined.
In this article I will outline a number of the most commonly used features of this file. Of course, not everything is described here; you can learn a lot from the Internet, but the most frequently encountered questions are covered.
Writing rules
File directives are specified one per line.
All paths start from the site root (not from the root file system server!)
For example, if required file on the server is along the path /var/www/mysite.ru/mydir/file.html, then the correct path will be /mydir/file.html
If the url indication is executed, then the indication must be made using the protocol indication.
For example, if there is a redirect to the site www.mysite.ru, then you need to specify http://www.mysite.ru
Comments are everything after the # symbol
You can use environment variables in expressions. The list of the most commonly used ones is below.
Finally, when you make changes to a file, they immediately take effect. There is no need to reboot anything.
Environment Variables
Although not often, environment variables can still be used in the .htaccess file. Some of them are given below (thanks to the site htaccess.net.ru):
- QUERY_STRING (query parameters)
- REMOTE_ADDR (visitor's IP address)
- REMOTE_HOST (visitor's hostname)
- REMOTE_USER (username if authenticated)
- REMOTE_METHOD (browser method - GET or POST)
- PATH_INFO (web page file path)
- HTTP_USER_AGENT (content of the user-agent header - browser type)
- HTTP_REFERER (referer header content)
- HTTP_COOKIE (cookie header content)
- HTTP_HOST (website hostname)
- TIME_YEAR (year, month, etc.)
- TIME_MONTH
- TIME_DAY
- TIME_HOUR
- TIME_MIN
- TIME_SEC
- TIME_WDAY
- REQUEST_URI (requested URL)
- REQUEST_FILENAME (requested file)
- THE_REQUEST (full request)
Regular expressions in .htaccess
You can use regular expressions in this file. Their syntax is given below. Thanks to the site htaccess.net.ru
In a regular expression, you can use any printable characters and spaces, but some characters have special meaning:
- Parentheses () are used to separate groups of characters.
- The ^ character marks the beginning of a line.
- The $ character marks the end of the line.
- Symbol. stands for any character.
- Symbol | denotes an alternative. For example, the expressions "A|B" and "(ABC|DEF)" mean "A or B" and "ABC or DEF", respectively.
- Symbol? is placed after a character (or group of characters), which may or may not be present. For example, the expression "jpe?g" will match both the string "jpg" and the string "jpeg". An example of an expression with a group of characters: "super-(puper-)?site".
- The * character is placed after a character (or group of characters) that can be absent or present an unlimited number of times in a row. For example, the expression "jpe*g" matches the strings "jpg", "jpeg" and "jpeeeeeeeg".
- The + character acts similarly to the * character, with the only difference being that the character preceding it must be present at least once. For example, the expression "jpe+g" matches the strings "jpeg" and "jpeeeeg", but not "jpg".
- Square brackets are used to list valid characters. For example, the expression "" is equivalent to the expression "a|b|c", but the option with square brackets is usually faster. You can use ranges inside parentheses: for example, the expression "" is equivalent to the expression "". If the characters inside the square brackets begin with a ^, it means any character other than those listed in the brackets. For example, the expression "[^0-9]+" means a string of any characters except numbers.
- The \ symbol is placed before special characters if they are needed in their original form. For example, the expression "jpe\+g" matches only one string, "jpe+g".
- Everything to the right of # is considered a comment.
How to turn it on
On Linux (LAMP), Apache configurations typically already allow the use of the .htaccess file. On FreeBSD, you may need to specifically allow this file using the AllowOverride directive in the global or site-specific configuration.
AllowOverride All
Ban on reading all files in a directory
Access from a specific IP address
oder deny,allow
deny from all
allow from 192.168.0.1
allow from 192.168.0.2
where instead of 192.168.0.1, 192.168.0.2 IP addresses are indicated from which users can access the site. Otherwise - error 403.
Denying access from certain IP addresses
order allow,deny
allow from all
deny from 192.168.0.1
deny from 192.168.0.2
Where instead of the specified IPs it is necessary to indicate those from which access is denied.
Denying access to files by mask
order allow,deny
deny from all
Instead of ext1, ext2, ext3... we insert our extensions. Deny/access rules are determined in the same way as for the entire directory as a whole.
As a special case, you can set access for one specific file(however, taking into account the inheritance of .htaccess rights - this access or prohibition will apply to all sub-directories - i.e. to all files in this directory and all directories below):
order allow,deny
deny from all
Passwording a directory
Often used when creating websites that not everyone is allowed to access (or parts of which). When you try to open this url, the web browser will ask the user for a login and password.
AuthName "Enter access password"
AuthType Basic
AuthUserFile /var/www/mysite.ru/.htpasswd
require valid-user
ATTENTION! Please note that here the path to the .htpasswd file is specified from the root of the server's file system, not the site!
To use this method, you must have a .htpasswd file. How to create and use it is described on the same site in the web section. Here is an example of creating this file:
# htpasswd -c /var/www/mysite.ru/.htpasswd username password
If the -c switch is not specified, the htpasswd utility will not create the file again, but will add the user username to the existing ones.
Please note that with this authentication method, the login and password are transmitted in clear text, therefore it is recommended to use the HTTPS/SSL protocol.
As a special case, this construction can be used inside a block
Complex password protection
There is a site structure:
/mysite.ru/A
/mysite.ru/A/B1
/mysite.ru/A/B2
It is necessary to ensure that authentication is carried out only when all users access directory A, but at the same time, some users have access to directory B1, and others have access to directory B2.
We will need .htaccess files in each directory.
Htaccess for directory A:
AuthName "Enter password"
AuthType Basic
require valid-user
.htaccess for directory B1:
AuthName "Enter password"
AuthType Basic
AuthUserFile /var/www/mysite.ru/A/.htpasswd
require user username1 username2 username3
.htaccess for directory B2:
AuthName "Enter password"
AuthType Basic
AuthUserFile /var/www/mysite.ru/A/.htpasswd
require user username1 username4 username5
Instead of usernameX we substitute the names of users who have access to the corresponding directories.
Redirection (redirect) to another site
Redirect / http://www.anothersite.ru
If the redirect is permanent (i.e. forever - which is very useful for search engines), then the syntax will be like this:
Redirect permanent / http://www.anothersite.ru
If you use the word temp instead of permanent, the redirect will, on the contrary, be temporary.
Another example of a redirect - from a specific directory inside the site:
Redirect /dir2 http://www.anothersite.ru/dir2
Instead of the Redirect directive we use RedirectMatch directive. The difference is that instead of specifying the address from which to redirect, a regular expression is specified.
RedirectMatch (.*)\.gif$ http://mysite.ru/$1.png
Redirects all requests to .gif - to files of the same name, but with the extension .png, located at mysite.ru/
Another example:
RedirectMatch (.*\.jpg)$ http://mysite/$1
RewriteEngine On
RewriteCond %(HTTP_HOST) ^www\.old_site\.ru$
RewriteCond %(HTTP_HOST) ^old_site\.ru$
RewriteRule ^(.*)$ http://new_site.ru/$1
Show different pages depending on the user's IP address
SetEnvIf REMOTE_ADDR 192.168.0.1 REDIR="redir"
RewriteCond %(REDIR) redir
RewriteRule ^/$/another_page.html
Instead of 192.168.0.1 we insert our value.
Substitution of the start page
DirectoryIndex another_file.php
Essentially, here we are replacing the DirectoryIndex directive specified in the httpd.conf or apache.conf file.
Replacing error pages
ErrorDocument 403 /error403.html
ErrorDocument 404 /error404.html
Thus, when, for example, a 404 error occurs, the browser will not display its page, but will try to load a stylized page from the site.
Make it impossible to display a list of files in directories without an index file
Options -Indexes
Thus, the user will not be able to display the content of a directory where there is no index file (and in a directory where there is an index file, he cannot do this by default).
Specifying the displayed encoding
You can tell the browser what encoding the files are sent to it in. This will reduce the likelihood of errors in automatic detection encodings, if files are transferred in one, and for some reason the browser starts displaying them in another.
AddDefaultCharset windows-1251
Specifying auto-conversion of encoding of downloaded files
When uploading files to the site, they will be automatically converted to the specified encoding.
CharsetSourceEnc koi8-r
Adding MIME Handlers
AddType "text/html" .myext
AddType "application/x-rar-compressed" .rar
This way we can add directives to our site that are not described in the global Apache config.
Blocking certain User-Agents (web browsers, bots and robots)
Here is a piece of the .htaccess file in which several User-Agents (web browsers; bots, actually) are blocked.
SetEnvIfNoCase User-Agent "^Titan" bad_bot
SetEnvIfNoCase User-Agent "^Wget" bad_bot
SetEnvIfNoCase User-Agent "^SiteSnagger" bad_bot
SetEnvIfNoCase User-Agent "^WebAuto" bad_bot
SetEnvIfNoCase User-Agent "^NetAnts" bad_bot
SetEnvIfNoCase User-Agent "^WebZip/4.0" bad_bot
SetEnvIfNoCase User-Agent "^httplib" bad_bot
Order Allow, Deny
Allow from all
Deny from env=bad_bot
The list of “bad” User-Agents here is very small and is given only as an example.
PHP Settings
In addition to the httpd.conf and apache.conf variables, we may also need to change the values specified in php.ini php settings. .htaccess file allows you to do such nice things. The php_value and php_flag directives are used for this.
The difference between php_value and php_flag: the first directive assigns a specific value to the setting:
php_value
and the second one turns the boolean setting on or off:
php_flag
ATTENTION! You cannot use php_admin_flag and php_admin_value in a .htaccess file!
For example, code
php_flag magic_quotes_gpc 0
php_flag magic_quotes_runtime 0
will turn off automatic data escaping in PHP (turn off MagicQuotes), and the code
php_value memory_limit 64M
will override the value maximum quantity memory allocated for the site.
These values override the values defined in the php.ini file or define them if they were not set by the hosting server administrator. There is no point in listing the entire list of PHP settings here - it can be found in the documentation for php needed Versions for you.
Rewrite module
The Apache server includes the Rewrite module. Despite the fact that it is used in the .htaccess file, we will not describe it now, because This is a separate topic worthy of a separate article.
Relevant for: Apache 2.x
This is not all that can be done with the .htaccess file. There are a lot of specific examples on the Internet; the most frequently needed examples are collected here.