Htaccess - The Ultimate .Htaccess

AskApache Web Development <http://www.askapache.
com/>FREE THOUGHT FREE

SOFTWARE FREE WORLD <http://www.fsf.org/register_form?referrer=7511>
* Skip
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#ContentW>
Home <http://www.askapache.com/> Htaccess
<http://www.askapache.com/category/htaccess/> THE Ultimate Htaccess
Htaccess - THE Ultimate .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html>
Unicode Character Reference
<http://www.askapache.com/web-development/unicode-character-reference.html>Crazy
POWERFUL Bash Prompt
<http://www.askapache.com/linux/bash-power-prompt.html>
by Charles Torvalds126 comments
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#disqus_thread>
Htaccess is a very ancient configuration file that controls the Web
Server running your website, and is one of the most powerful
configuration files you will ever come across. .htaccess has the ability
to control access of the WWW's HyperText Transfer Protocol (HTTP) using
Password Protection, 301 Redirects, rewrites, and much much more. This
is because this configuration file was coded in the earliest days of the
web (HTTP), for one of the first Web Servers ever! Eventually these Web
Servers (configured with htaccess) became known as the World Wide Web,
and eventually grew into the Internet we use today.
.htaccess file tutorial
<file:///tmp/maftemp-8ee24daf/1417061869000_504/htaccess-files.png>This
is not an /introduction to .htaccess/ This is the evolution of the best
of the best.
You've come to the right place if you are looking to acquire *mad
skills* for using .htaccess files.
Originally (2003) this guide was known in certain hacker circles and
hidden corners of the net as an /ultimate .htaccess/ due to the powerful
*htaccess tricks* and tips to bypass security on a webhost, and also
because many of the tricks and examples
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess-code-example
s>
were pretty impressive back then in that group.
Contents [hide]
* Htaccess - Evolved
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Evolved>
* AskApache Htaccess Journey
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#AskApache_Htacces
s_Journey>
* What Is .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#What_Is_htaccess>
1. Creating Htaccess Files
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Creating_Htac
cess_Files>
2. Htaccess Scope
e>
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Scop
* Htaccess File Syntax

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_File_Syn
tax>
* Htaccess Directives
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Directiv
es>
* Main Server Config Examples
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Main_Server_Confi
g_Examples>
* Example .htaccess Code Snippets
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Code_Sni
ppets>
1. Redirect Everyone Except IP address to alternate page
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Redirect_IP_a
lternate_page>
2. When developing sites
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#developing_si
tes>
3. Fix double-login prompt
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Fix_double-lo
gin_prompt>
4. Set Timezone of the Server (GMT)
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Set_Timezone_
Server_GMT>
5. Administrator Email for ErrorDocument
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Administrator
_Email_ErrorDocument>
6. |ServerSignature| for |ErrorDocument|
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#ServerSignatu
re_ErrorDocument>
7. Charset and Language headers
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Charset_Langu
age_headers>
8. Disallow Script Execution
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Disallow_Scri
pt_Execution>
9. Deny Request Methods
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Deny_Request_
Methods>
10. Force "File Save As" Prompt
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Force_File_Sa
ve_Prompt>
11. Show CGI Source Code
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Show_CGI_Code
>
12. Serve all .pdf files on your site using .htaccess and
mod_rewrite with the php script.
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Serve_pdf_fil
es_site_htaccess_mod_rewrite_php>
13. Rewrite to www
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Rewrite_to_ww
w>
14. Rewrite to www dynamically
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Rewrite_dynam
ically>
15. 301 Redirect Old File
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#301_Redirect_
File>
16. 301 Redirect Entire Directory

Entire_Directory>
17. Protecting your php.cgi
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Protecting_ph
p-cgi>
18. Set Cookie based on Request
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Set_Cookie_ba
sed_Request>
19. Set Cookie with env variable
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Set_Cookie_en
v_variable>
20. Custom ErrorDocuments
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Custom_ErrorD
ocuments>
21. Implementing a Caching Scheme with .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Implementing_
Caching_Scheme_htaccess>
22. Password Protect single file
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Password_Prot
ect_single_file>
23. Password Protect multiple files
ect_multiple_files>
24. Send Custom Headers
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Send_Custom_H
eaders>
25. Blocking based on User-Agent Header
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Blocking_base
d_User-Agent_Header>
26. Blocking with RewriteCond
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Blocking_Rewr
iteCond>
27. .htaccess for mod_php
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_mod_
php>
28. .htaccess for php as cgi
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_php_
cgi>
29. Shell wrapper for custom php.ini
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Shell_wrapper
_custom_php-ini>
30. Add values from HTTP Headers
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Add_values_HT
TP_Headers>
31. Stop hotlinking
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Stop_hotlinki
ng>
32. Turn logging off for IP
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Turn_logging_
IP>
33. Turn logging on for IP
IP-s0>
* Example .htaccess Files
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Files>
* Advanced Mod_Rewrites
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Advanced_Mod_Rewr
ites>
1. Directory Protection
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Directory_Pro
tection>
2. Password Protect wp-login.php
ect_wp-login-php>
3. Password Protect wp-admin
ect_wp-admin>
4. Protect wp-content
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Protect_wp-co
ntent>
5. Protect wp-includes
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Protect_wp-in
cludes>
6. Common Exploits
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Common_Exploi
ts>
7. Stop Hotlinking
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Stop_Hotlinki
ng>
8. Safe Request Methods
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Safe_Request_
Methods>
9. Forbid Proxies
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Forbid_Proxie
s>
10. Real wp-comments-post.php
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Real_wp-comme
nts-post-php>
11. HTTP PROTOCOL
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#HTTP_PROTOCOL
>
12. SPECIFY CHARACTERS
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#SPECIFY_CHARA
CTERS>
13. BAD Content Length
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#BAD_Content_L
ength>
14. BAD Content Type
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#BAD_Content_T
ype>
15. Missing HTTP_HOST
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Missing_HTTP_
HOST>
16. Bogus Graphics Exploit
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Bogus_Graphic
s_Exploit>
17. No UserAgent, Not POST
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#UserAgent_POS
T>
18. No Referer, No Comment
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Referer_Comme
nt>
19. Trackback Spam
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Trackback_Spa
m>
20. Map all URIs except those corresponding to existing files to a
handler
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Map_URIs_exis
ting_files_handler>
21. Map any request to a handler

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Map_request_h
andler>
22. And for CGI scripts:
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#CGI_scripts>
23. Map URIs corresponding to existing files to a handler instead
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Map_URIs_exis
ting_files_handler-s0>
24. Deny access if var=val contains the string foo.
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Deny_access_v
arval_string_foo>
25. Removing the Query String
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Removing_Quer
y_String>
26. Adding to the Query String
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Adding_Query_
String>
27. Rewriting For Certain Query Strings
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Rewriting_Que
ry_Strings>
28. Modifying the Query String
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Modifying_Que
ry_String>
* Best .htaccess Articles
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Articles
>
1. .htaccess for Webmasters
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Webm
asters>
2. Mod_Rewrite URL Rewriting
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Mod_Rewrite_U
RL_Rewriting>
3. 301 Redirects without mod_rewrite
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#301_Redirects
_mod_rewrite>
4. Secure PHP with .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Secure_PHP_ht
access>
5. .htaccess Cookie Manipulation
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Cook
ie_Manipulation>
6. .htaccess Caching
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Cach
ing>
7. Password Protection and Authentication
ection_Authentication>
8. Control HTTP Headers
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Control_HTTP_
Headers>
9. Blocking Spam and bad Bots
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Blocking_Spam
_bad_Bots>
10. PHP htaccess tips
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#PHP_htaccess_
tips>
11. HTTP to HTTPS Redirects with mod_rewrite
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#HTTP_HTTPS_Re
directs_mod_rewrite>
12. SSL in .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#SSL_htaccess>
13. SetEnvIf and SetEnvIfNoCase in .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#SetEnvIf_SetE
nvIfNoCase_htaccess>
14. Site Security with .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Site_Security
_htaccess>
15. Merging Notes
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Merging_Notes
>
* My Favorite .htaccess Links
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Favorite_htaccess
_Links>
* Htaccess Directives
es-s0>
* Htaccess Modules
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Modules>
* Htaccess Software
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Software
>
* Technical Look at .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Technical_htacces
s>
1. Per-directory configuration structures
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Per-directory
_configuration_structures>
2. Command handling
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Command_handl
ing>
1. mod_autoindex
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#mod_autoi
ndex>
2. mod_rewrite
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#mod_rewri
te>
3. Side notes --- per-server configuration, virtual servers, etc.
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Side_notes_pe
r-server_configuration_virtual>
4. Litespeed Htaccess support
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Litespeed_Hta
ccess_support>
Htaccess - Evolved
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Evolved>
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#toc>
The Hyper Text Transfer Protocol (HTTP) was initiated at the CERN in
Geneve (Switzerland), where it emerged (together with the HTML
presentation language) from the need to exchange scientific information
on a computer network in a simple manner. The first public HTTP
implementation only allowed for plain text information, and almost
instantaneously became a replacement of the GOPHER service. One of the
first text-based browsers was LYNX which still exists today; a graphical
HTTP client appeared very quickly with the name NCSA Mosaic. Mosaic was
a popular browser back in 1994. Soon the need for a more rich multimedia
experience was born, and the markup language provided support for a
growing multitude of media types.
Htaccess file know-how will do several things for you:

*
*
*
*
Make your
Allow you
Make your
Allow you
website noticeably faster.

to debug your server with ease.
life easier and more rewarding.
to work faster and more productively.
AskApache Htaccess Journey

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#AskApache_Htacces
s_Journey> ^
*Skip this - still under edit*
I discovered these tips and tricks mostly while working as a network
security penetration specialist hired to find security holes in web
hosting environments. Shared hosting is the most common and cheapest
form of web-hosting where multiple customers are placed on a single
machine and "share" the resources (CPU/RAM/SPACE). The machines are
configured to basically ONLY do HTTP and FTP. No shells or any
interactive logins, no ssh, just FTP access. That is when I started
examining htaccess files in great detail and learned about the
incredible untapped power of htaccess. For 99% of the worlds best Apache
admins, they don't use .htaccess much, if AT ALL. It's much easier,
safer, and faster to configure Apache using the httpd.conf file instead.
However, this file is almost never readable on shared-hosts, and I've
never seen it writable. So the only avenue left for those on
shared-hosting was and is the .htaccess file, and holy freaking
fiber-optics.. it's almost as powerful as httpd.conf itself!
Most all .htaccess code works in the httpd.conf file, but not all
httpd.conf code works in .htaccess files, around 50%. So all the best
Apache admins and programmers never used .htaccess files. There was no
incentive for those with access to httpd.conf to use htaccess, and the
gap grew. It's common to see "computer gurus" on forums and mailing
lists rail against all uses and users of .htaccess files, smugly
announcing the well known problems with .htaccess files compared with
httpd.conf - I wonder if these "gurus" know the history of the htaccess
file, like it's use in the earliest versions of the HTTP Server- NCSA's
HTTPd, which BTW, became known as Apache HTTP. So you could easily say
that htaccess files predates Apache itself.
Once I discovered what .htaccess files could do towards helping me
enumerate and exploit security vulnerabilities even on big shared-hosts
I focused all my research into .htaccess files, meaning I was reading
the venerable Apache HTTP Source code 24/7! I compiled every released
version of the Apache Web Server, ever, even NCSA's, and focused on
enumerating the most powerful htaccess directives. Good times! Because
my focus was on protocol/file/network vulnerabilites instead of web dev
I built up a nice toolbox of htaccess tricks to do unusual things. When
I switched over to webdev in 2005 I started using htaccess for websites,
not research. I documented most of my favorites and rewrote the htaccess
guide for webdevelopers. After some great encouragement on various
forums and nets I decided to start a blog to share my work with
everyone, AskApache.com was registered, I published my guide, and it was
quickly plagiarized and scraped all over the net. Information is
freedom, and freedom is information, so this blog has the least
restrictive copyright for you. Feel free to modify, copy, republish,
sell, or use anything on this site ;)
What Is .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#What_Is_htaccess>
Specifically, .htaccess is the default file name of a special

configuration file that provides a number of directives
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess-directives>
(commands) for controlling and configuring the Apache Web Server
<http://httpd.apache.org/>, and also to control and configure modules
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess-modules>
that can be built into the Apache installation, or included at run-time
like mod_rewrite (for htaccess rewrite), mod_alias (for htaccess
redirects), and mod_ssl (for controlling SSL connections).
*Htaccess* allows for decentralized management of Web Server
configurations which makes life very easy for web hosting companies and
especially their savvy consumers. They set up and run "server farms"
where many hundreds and thousands of web hosting customers are all put
on the same Apache Server. This type of hosting is called "virtual
hosting" and without .htaccess files would mean that every customer must
use the same exact settings as everyone else on their segment. So that
is why any half-decent web host allows/enables /(DreamHost, Powweb,
MediaTemple, GoDaddy) .htaccess files/, though few people are aware of
it. Let's just say that if I was a customer on your server-farm, and
.htaccess files were enabled, my websites would be a LOT faster than
yours, as these configuration files allow you to fully take advantage of
and utilize the resources allotted to you by your host. If even 1/10 of
the sites on a server-farm took advantage of what they are paying for,
the providers would go out of business.
*SKIP: *History of Htaccess in 1st Apache.
One of the design goals for this server was to maintain external
compatibility with the NCSA 1.3 server --- that is, to read the same
configuration files, to process all the directives therein
correctly, and in general to be a drop-in replacement for NCSA. On
the other hand, another design goal was to move as much of the
server's functionality into modules which have as little as possible
to do with the monolithic server core. The only way to reconcile
these goals is to move the handling of most commands from the
central server into the modules.
However, just giving the modules command tables is not enough to
divorce them completely from the server core. The server has to
remember the commands in order to act on them later. That involves
maintaining data which is private to the modules, and which can be
either per-server, or per-directory. Most things are per-directory,
including in particular access control and authorization
information, but also information on how to determine file types
from suffixes, which can be modified by AddType and DefaultType
directives, and so forth. In general, the governing philosophy is
that anything which can be made configurable by directory should be;
per-server information is generally used in the standard set of
modules for information like Aliases and Redirects which come into
play before the request is tied to a particular place in the
underlying file system.
Another requirement for emulating the NCSA server is being able to

handle the *per-directory configuration files, generally called
.htaccess files*, though even in the NCSA server they can contain
directives which have nothing at all to do with access control.
Accordingly, after URI -> filename translation, but before
performing any other phase, the server walks down the directory
hierarchy of the underlying filesystem, following the translated
pathname, to read any .htaccess files which might be present. The
information which is read in then has to be merged with the
applicable information from the server's own config files (either
from the || sections in access.conf, or from defaults in srm.conf,
which actually behaves for most purposes almost exactly like ||).
Finally, after having served a request which involved *reading
.htaccess files*, we need to discard the storage allocated for
handling them. That is solved the same way it is solved wherever
else similar problems come up, by tying those structures to the
per-transaction resource pool.
Creating Htaccess Files
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Creating_Htac
cess_Files> ^
What an Htaccess File Looks Like in Windows Explorer
<file:///tmp/maftemp-8ee24daf/1417061869000_504/htaccess-explorer.png>Htaccess
files use the default filename "|.htaccess|" but any unix-style file
name can be specified from the main server config
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#httpd-config-examples
>
using the |AccessFileName| directive. The file isn't |.htaccess.txt|,
its literally just named |.htaccess|.
View .htaccess files
<file:///tmp/maftemp-8ee24daf/1417061869000_504/viewing-htaccess-files.png>In
a Windows Environment like the one I use for work, you can change how
Windows opens and views .htaccess files by modifying the Folder Options
in explorer. As you can see, on my computer files ending in .htaccess
are recognized as having the HTACCESS extension and are handled/opened
by Adobe Dreamweaver CS4.
e> ^
Htaccess Scope
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Scop
Unlike the main server configuration files like httpd.conf

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#httpd-config-examples
>,
*Htaccess files are read on every request* therefore changes in these
files take immediate effect. Apache searches all directories and
subdirectories that are htaccess-enabled for an .htaccess file which
results in performance loss due to file accesses. I've never noticed a
performance loss but OTOH, I know how to use them. If you do have access
to your main server configuration file, you should of course use that
instead, and lucky for you ALL the .htaccess tricks and examples can be
used there as well (just not vice versa).
Htaccess File Syntax

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_File_S
yntax> ^
Htaccess files follow the same syntax as the main Apache configuration
files, for powerusers here's an apache.vim
<http://uploads.askapache.com/2009/01/apache.vim> for VI. The one main
difference is the context of the directive, which means whether or not
that directive is ALLOWED to be used inside of an .htaccess file.
Htaccess files are incredibly powerful, and can also be very dangerous
as some directives allowed in the main configuration files would allow
users/customers to completely bypass
security/bandwidth-limits/resource-limits/file-permissions, etc.. About
1/4 of all Apache directives cannot be used inside an .htaccess file
(also known as a per-directory context config). The Apache Developers
are well-regarded throughout the world as being among some of the best
programmers, ever. To enable a disallowed directive inside a .htaccess
file would require modifying the source code and re-compiling the server
(which they allow and encourage if you are the owner/admin).
Htaccess Directives
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Direct
ives> ^
*Don't ask why*, but I personally downloaded each major/beta release of
the Apache HTTPD source code from version 1.3.0 to version 2.2.10 (all
63 Apache versions!), then I *configured and compiled each version for a
custom HTTPD installation built from source*. This allowed me to find
*every directive allowed in .htaccess files
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess-directives-l
ist>*
for each particular version, which has never been done before, or since.
*YES!*/I think that is so cool../
*An .htaccess directive* is basically a command that is specific to a
module or builtin to the core that performs a specific task or sets a
specific setting for how Apache serves your WebSite. Directives placed
in Htaccess files *apply to the directory they are in, and all
sub-directories*. Here's the 3 top links (/official Apache Docs/) you
will repeatedly use, bookmark/print/save them.
htaccess Context Legend
<http://uploads.askapache.com/2008/08/htaccess-up1.png>
1. Terms Used to Describe Directives
<http://httpd.apache.org/docs/trunk/mod/directive-dict.html>
2. Official List of Apache Directives
<http://httpd.apache.org/docs/trunk/mod/directives.html>
3. Directive Quick-Reference -- with Context
<http://httpd.apache.org/docs/trunk/mod/quickreference.html>
-----------------------------------------------------------------------Main Server Config Examples
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Main_Server_Confi
g_Examples> ^
Now lets take a look at some htaccess examples to get a feel for the
syntax and some general ideas at the capabilities. Some of the best
examples for .htaccess files are included with Apache for main server
config <http://httpd.apache.org/docs/trunk/configuring.html> files, so
lets take a quick look at a couple of them on our way down to the actual
.htaccess examples further down the page (this site has thousands, take
your time). The basic syntax is *a line starting with # is a comment,
everything else are directives followed by the directive argument*.
*httpd-multilang-errordoc.conf
<http://uploads.askapache.com/2008/08/httpd-multilang-errordocconf.in>*:
The configuration below implements multi-language error documents
through content-negotiation
Here are the rest of them if you wanna take a look. (httpd-mpm.conf
<http://uploads.askapache.com/2008/08/httpd-mpmconf.in>,
httpd-default.conf
<http://uploads.askapache.com/2008/08/httpd-defaultconf.in>,
httpd-ssl.conf <http://uploads.askapache.com/2008/08/httpd-sslconf.in>,
httpd-info.conf
<http://uploads.askapache.com/2008/08/httpd-infoconf.in>,
httpd-vhosts.conf
<http://uploads.askapache.com/2008/08/httpd-vhostsconf.in>,
httpd-dav.conf <http://uploads.askapache.com/2008/08/httpd-davconf.in>)
-----------------------------------------------------------------------Example .htaccess Code Snippets
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Code_Sni
ppets> ^
Here are some specific examples, this is the most popular section of
this page. Updated frequently.
Redirect Everyone Except IP address to alternate page
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Redirect_IP_a
lternate_page> ^
ErrorDocument 403 http://www.yahoo.com/
Order deny,allow
Deny from all
Allow from 208.113.134.190
tes> ^
When developing sites

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#developing_si
This lets google crawl the page, lets me access without a password, and
lets my client access the page WITH a password. It also allows for XHTML
and CSS validation! (w3.org)
AuthName "Under Development"

AuthUserFile /web/sitename.com/.htpasswd
AuthType basic
Require valid-user
Order deny,allow
Deny from all
Allow from 208.113.134.190 w3.org htmlhelp.com googlebot.com
Satisfy Any
Fix double-login prompt
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Fix_double-lo
gin_prompt> ^
Redirect non-https requests to https server and ensure that *.htpasswd
authorization* can only be entered across HTTPS
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "askapache.com"
ErrorDocument 403 https://askapache.com
Set Timezone of the Server (GMT)
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Set_Timezone_
Server_GMT> ^
SetEnv TZ America/Indianapolis
Administrator Email for ErrorDocument
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Administrator
_Email_ErrorDocument> ^
SetEnv SERVER_ADMIN webmaster@google.com
|ServerSignature| for |ErrorDocument|
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#ServerSignatu
re_ErrorDocument> ^
ServerSignature off | on | email
Charset and Language headers
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Charset_Langu
age_headers> ^
Article: Setting Charset in htaccess
<http://www.askapache.com/htaccess/setting-charset-in-htaccess.html>,
and article by Richard Ishida
<http://www.w3.org/International/questions/qa-htaccess-charset>
AddDefaultCharset UTF-8
DefaultLanguage en-US
Disallow Script Execution
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Disallow_Scri
pt_Execution> ^
Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Deny Request Methods
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Deny_Request_
Methods> ^
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|OPTIONS|POST|PUT)
RewriteRule .* - [F]
Force "File Save As" Prompt
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Force_File_Sa
ve_Prompt> ^
AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4
> ^
Show CGI Source Code

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Show_CGI_Code
RemoveHandler cgi-script .pl .py .cgi

AddType text/plain .pl .py .cgi
Serve all .pdf files on your site using .htaccess and
mod_rewrite with the php script.
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Serve_pdf_fil
es_site_htaccess_mod_rewrite_php> ^
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.+)\.pdf$ /cgi-bin/pdf.php?file=$1 [L,NC,QSA]
w> ^
Rewrite to www
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Rewrite_to_ww
RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$

RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]
RewriteRule ^(.*)$ /$1 [R=301,L]
Rewrite to www dynamically

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Rewrite_dynam
ically> ^
RewriteCond
RewriteCond
RewriteCond
RewriteRule
%{REQUEST_URI} !^/robots\.txt$ [NC]

%{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC]
%{HTTP_HOST} ([a-z-]+\.[a-z]{2,6})$ [NC]
^/(.*)$ http://%1/$1 [R=301,L]
File> ^
301 Redirect Old File

Redirect 301 /old/file.html /new/file.html

301 Redirect Entire Directory
Entire_Directory> ^
RedirectMatch 301 /blog(.*) /$1
Protecting your php.cgi
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Protecting_ph
p-cgi> ^
<FilesMatch "^php5?\.(ini|cgi)$">
Order Deny,Allow
Deny from All
Allow from env=REDIRECT_STATUS
</FilesMatch>
Set Cookie based on Request
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Set_Cookie_ba
sed_Request> ^
This code sends the |Set-Cookie| header to create a cookie on the client
with the value of a matching item in 2nd parantheses.
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)(de|es|fr|it|ja|ru|en)/$ - [co=lang:$2:.askapache.com:7200:/]
Set Cookie with env variable
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Set_Cookie_en
v_variable> ^
Header set Set-Cookie "language=%{lang}e; path=/;" env=lang
Custom ErrorDocuments
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Custom_ErrorD
ocuments> ^
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
100
101
102
200
201
202
203
204
205
206
207
300
301
302
303
304
305
307
400
401
402
403
404
/100_CONTINUE
/101_SWITCHING_PROTOCOLS
/102_PROCESSING
/200_OK
/201_CREATED
/202_ACCEPTED
/203_NON_AUTHORITATIVE
/204_NO_CONTENT
/205_RESET_CONTENT
/206_PARTIAL_CONTENT
/207_MULTI_STATUS
/300_MULTIPLE_CHOICES
/301_MOVED_PERMANENTLY
/302_MOVED_TEMPORARILY
/303_SEE_OTHER
/304_NOT_MODIFIED
/305_USE_PROXY
/307_TEMPORARY_REDIRECT
/400_BAD_REQUEST
/401_UNAUTHORIZED
/402_PAYMENT_REQUIRED
/403_FORBIDDEN
/404_NOT_FOUND
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
ErrorDocument
405
406
407
408
409
410
411
412
413
414
415
416
417
422
423
424
426
500
501
502
503
504
505
506
507
510
/405_METHOD_NOT_ALLOWED
/406_NOT_ACCEPTABLE
/407_PROXY_AUTHENTICATION_REQUIRED
/408_REQUEST_TIME_OUT
/409_CONFLICT
/410_GONE
/411_LENGTH_REQUIRED
/412_PRECONDITION_FAILED
/413_REQUEST_ENTITY_TOO_LARGE
/414_REQUEST_URI_TOO_LARGE
/415_UNSUPPORTED_MEDIA_TYPE
/416_RANGE_NOT_SATISFIABLE
/417_EXPECTATION_FAILED
/422_UNPROCESSABLE_ENTITY
/423_LOCKED
/424_FAILED_DEPENDENCY
/426_UPGRADE_REQUIRED
/500_INTERNAL_SERVER_ERROR
/501_NOT_IMPLEMENTED
/502_BAD_GATEWAY
/503_SERVICE_UNAVAILABLE
/504_GATEWAY_TIME_OUT
/505_VERSION_NOT_SUPPORTED
/506_VARIANT_ALSO_VARIES
/507_INSUFFICIENT_STORAGE
/510_NOT_EXTENDED
Implementing a Caching Scheme with .htaccess

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Implementing_
Caching_Scheme_htaccess> ^
# year
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|mp3|mp4)$">
Header set Cache-Control "public"
Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT"
Header unset Last-Modified
</FilesMatch>
#2 hours
<FilesMatch "\.(html|htm|xml|txt|xsl)$">
Header set Cache-Control "max-age=7200, must-revalidate"
</FilesMatch>
<FilesMatch "\.(js|css)$">
SetOutputFilter DEFLATE
</FilesMatch>
Password Protect single file
ect_single_file> ^
<Files login.php>
AuthName "Prompt"
AuthType Basic
AuthUserFile /web/askapache.com/.htpasswd
Require valid-user
</Files>
Password Protect multiple files
ect_multiple_files> ^
<FilesMatch "^(private|phpinfo).*$">
AuthName "Development"
AuthUserFile /.htpasswd
AuthType basic
Require valid-user
</FilesMatch>
Send Custom Headers
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Send_Custom_H
eaders> ^
Header
Header
Header
Header
set
set
set
set
P3P "policyref="/w3c/p3p.xml""
X-Pingback "/xmlrpc.php"
Content-Language "en-US"
Vary "Accept-Encoding"
Blocking based on User-Agent Header

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Blocking_base
d_User-Agent_Header> ^
SetEnvIfNoCase Ûser-Agent$ .*(craftbot|download|extract|stripper|sucker|ninja|c

lshttp|webspider|leacher|collector|grabber|webpictures) HTTP_SAFE_BADBOT
SetEnvIfNoCase Ûser-Agent$ .*(libwww-perl|aesop_com_spiderman) HTTP_SAFE_BADBOT
Deny from env=HTTP_SAFE_BADBOT
Blocking with RewriteCond
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Blocking_Rewr
iteCond> ^
RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|nin
ja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]
RewriteRule . - [F,L]
php> ^
.htaccess for mod_php

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_mod_
SetEnv PHPRC /location/todir/containing/phpinifile
cgi> ^
.htaccess for php as cgi

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_php_
AddHandler php-cgi .php .htm

Action php-cgi /cgi-bin/php5.cgi
Shell wrapper for custom php.ini
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Shell_wrapper
_custom_php-ini> ^
#!/bin/sh
export PHP_FCGI_CHILDREN=3
exec php5.cgi -c /abs/php5/php.ini
Add values from HTTP Headers
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Add_values_HT
TP_Headers> ^
SetEnvIfNoCase
SetEnvIfNoCase
SetEnvIfNoCase
SetEnvIfNoCase
SetEnvIfNoCase
SetEnvIfNoCase
SetEnvIfNoCase
ng> ^
Îf-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1

Îf-None-Match$ "(.+)" HTTP_IF_NONE_MATCH=$1
^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1
^Connection$ "(.+)" HTTP_CONNECTION=$1
^Keep-Alive$ "(.+)" HTTP_KEEP_ALIVE=$1
Âuthorization$ "(.+)" HTTP_AUTHORIZATION=$1
^Cookie$ "(.+)" HTTP_MY_COOKIE=$1
Stop hotlinking
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Stop_hotlinki
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?askapache\.com/.*$ [NC]
RewriteRule \.(gif|jpg|swf|flv|png)$ /feed.gif [R=302,L]
IP> ^
Turn logging off for IP

SecFilterSelective REMOTE_ADDR "208\.113\.183\.103" "nolog,noauditlog,pass"

Turn logging on for IP
IP-s0> ^
SecFilterSelective REMOTE_ADDR "!^208\.113\.183\.103" "nolog,noauditlog,pass"

SecFilterSelective REMOTE_ADDR "208\.113\.183\.103" "log,auditlog,pass"
-----------------------------------------------------------------------Example .htaccess Files
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Files> ^
Here are some samples and examples taken from different .htaccess files
I've used over the years. Specific solutions are farther down on this
page and throughout the site.
# Set the Time Zone of your Server
# ServerAdmin: This address appears on some server-generated pages, such as err
or documents.
SetEnv SERVER_ADMIN webmaster@askapache.com
# Possible values for the Options directive are "None", "All", or any combinatio
n of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
Options -ExecCGI -MultiViews -Includes -Indexes FollowSymLinks
# DirectoryIndex: sets the file that Apache will serve if a directory is request
ed.
DirectoryIndex index.html index.php /index.php
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
# pathnames for oft-used CGI file processors.
# Format: Action media/type /cgi-script/location
# Format: Action handler-name /cgi-script/location
#
Action php5-cgi /bin/php.cgi
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)

#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
AddHandler php-cgi .php .inc
# Commonly used filename extensions to character sets.
# AddType allows you to add to or override the MIME configuration
AddType 'application/rdf+xml; charset=UTF-8' .rdf
AddType 'application/xhtml+xml; charset=UTF-8' .xhtml
AddType 'application/xhtml+xml; charset=UTF-8' .xhtml.gz
AddType 'text/html; charset=UTF-8' .html
AddType 'text/html; charset=UTF-8' .html.gz
AddType application/octet-stream .rar .chm .bz2 .tgz .msi .pdf .exe
AddType application/vnd.ms-excel .csv
AddType application/x-httpd-php-source .phps
AddType application/x-pilot .prc .pdb
AddType application/x-shockwave-flash .swf
AddType application/xrds+xml .xrdf
AddType text/plain .ini .sh .bsh .bash .awk .nawk .gawk .csh .var .c .in .h .asc
.md5 .sha .sha1
AddType video/x-flv .flv
# AddEncoding allows you to have certain browsers uncompress information on the
fly. Note: Not all browsers support this.
AddEncoding x-compress .Z
AddEncoding x-gzip .gz .tgz
# DefaultType: the default MIME type the server will use for a document.
DefaultType text/html
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off
## MAIN DEFAULTS
Options +ExecCGI -Indexes
DirectoryIndex index.html index.htm index.php
DefaultLanguage en-US
ServerSignature Off
## ENVIRONMENT VARIABLES
SetEnv PHPRC /webroot/includes
SetEnv SERVER_ADMIN webmaster@askapache.com
## MIME
AddType
AddType
AddType
TYPES
video/x-flv .flv
application/x-shockwave-flash .swf
image/x-icon .ico
## FORCE FILE TO DOWNLOAD INSTEAD OF APPEAR IN BROWSER

# http://www.htaccesselite.com/addtype-addhandler-action-vf6.html
AddType application/octet-stream .mov .mp3 .zip
## ERRORDOCUMENTS
# http://askapache.com/htaccess/apache-status-code-headers-errordocument.html
ErrorDocument 400 /e400/
#
#
#
#
#
#
#
#
#
#
#
Handlers be builtin, included in a module, or added with Action directive

default-handler: default, handles static content (core)
send-as-is: Send file with HTTP headers (mod_asis)
cgi-script: treat file as CGI script (mod_cgi)
imap-file: Parse as an imagemap rule file (mod_imap)
server-info: Get server config info (mod_info)
server-status: Get server status report (mod_status)
type-map: type map file for content negotiation (mod_negotiation)
fastcgi-script: treat file as fastcgi script (mod_fastcgi)
/php/custom-phpini-tips-and-tricks.html
## PARSE AS CGI
AddHandler cgi-script .cgi .pl .spl
## RUN PHP AS APACHE MODULE
AddHandler application/x-httpd-php .php .htm
## RUN PHP AS CGI
## CGI PHP WRAPPER FOR CUSTOM PHP.INI
AddHandler phpini-cgi .php .htm
Action phpini-cgi /cgi-bin/php5-custom-ini.cgi
## FAST-CGI SETUP WITH PHP-CGI WRAPPER FOR CUSTOM PHP.INI
AddHandler fastcgi-script .fcgi
Action php-cgi /cgi-bin/php5-wrapper.fcgi
## CUSTOM PHP CGI BINARY SETUP
Action php-cgi /cgi-bin/php.cgi
## PROCESS SPECIFIC FILETYPES WITH CGI-SCRIPT
Action image/gif /cgi-bin/img-create.cgi
## CREATE CUSTOM HANDLER FOR SPECIFIC FILE EXTENSIONS
AddHandler custom-processor .ssp
Action custom-processor /cgi-bin/myprocessor.cgi
### HEADER CACHING
# /htaccess/speed-up-sites-with-htaccess-caching.html
<FilesMatch "\.(flv|gif|jpg|jpeg|png|ico)$">
Header set Cache-Control "max-age=2592000"
</FilesMatch>
<FilesMatch "\.(js|css|pdf|swf)$">
</FilesMatch>
<FilesMatch "\.(html|htm|txt)$">
</FilesMatch>
<FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
Header unset Cache-Control
</FilesMatch>
## ALTERNATE EXPIRES CACHING
# htaccesselite.com/d/use-htaccess-to-speed-up-your-site-discussion-vt67.html
ExpiresActive On
ExpiresDefault A604800
ExpiresByType image/x-icon A2592000
ExpiresByType application/x-javascript A2592000
ExpiresByType text/css A2592000
ExpiresByType text/html A300
<FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
ExpiresActive Off
</FilesMatch>
## META HTTP-EQUIV REPLACEMENTS
<FilesMatch "\.(html|htm|php)$">
Header set imagetoolbar "no"
</FilesMatch>
Here are some default MOD_REWRITE code examples.
## REWRITE DEFAULTS
RewriteEngine On
RewriteBase /
## REQUIRE SUBDOMAIN
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^subdomain\.askapache\.com$ [NC]
RewriteRule ^/(.*)$ http://subdomain.askapache.com/$1 [L,R=301]
## SEO REWRITES
RewriteRule ^(.*)/ve/(.*)$ $1/voluntary-employee/$2 [L,R=301]
RewriteRule ^(.*)/hsa/(.*)$ $1/health-saving-account/$2 [L,R=301]
## WORDPRESS
RewriteCond %{REQUEST_FILENAME} !-f # Existing File
RewriteCond %{REQUEST_FILENAME} !-d # Existing Directory
RewriteRule . /index.php [L]
## ALTERNATIVE ANTI-HOTLINKING
RewriteCond %{HTTP_REFERER} !^http://(subdomain\.)?askapache\.com/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ - [F]
## REDIRECT
RewriteCond
RewriteCond
RewriteRule
HOTLINKERS
%{HTTP_REFERER} !^$
%{HTTP_REFERER} !^http://(subdomain\.)?askapache\.com/.*$ [NC]
^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ http://google.com [R]
## DENY REQUEST BASED ON REQUEST METHOD

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)$ [NC]
RewriteRule ^.*$ - [F]
## REDIRECT UPLOADS
RewriteCond %{REQUEST_METHOD} ^(PUT|POST)$ [NC]
RewriteRule ^(.*)$ /cgi-bin/form-upload-processor.cgi?p=$1 [L,QSA]
## REQUIRE SSL EVEN WHEN MOD_SSL IS NOT LOADED
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
### ALTERNATATIVE TO USING ERRORDOCUMENT
# http://www.htaccesselite.com/d/htaccess-errordocument-examples-vt11.html
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /error.php [L]
## SEO REDIRECTS
Redirect 301 /2006/oldfile.html http://subdomain.askapache.com/newfile.html
RedirectMatch 301 /o/(.*)$ http://subdomain.askapache.com/s/dl/$1
Examples of protecting your files and securing with password protection.
#
# Require (user|group|valid-user) (username|groupname)
#
## BASIC PASSWORD PROTECTION
AuthType basic
AuthName "prompt"
AuthGroupFile /dev/null
Require valid-user
## ALLOW FROM IP OR VALID PASSWORD
Require valid-user
Allow from 192.168.1.23
Satisfy Any
## PROTECT FILES
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
## PREVENT HOTLINKING
SetEnvIfNoCase Referer "^http://subdomain.askapache.com/" good
SetEnvIfNoCase Referer "^$" good
<FilesMatch "\.(png|jpg|jpeg|gif|bmp|swf|flv)$">
Order Deny,Allow
Deny from all
Allow from env=good
ErrorDocument 403 http://www.google.com/intl/en_ALL/images/logo.gif
ErrorDocument 403 /images/you_bad_hotlinker.gif
</FilesMatch>
## LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK
#bytes, 0-2147483647(2GB)
LimitRequestBody 10240000
## MOST SECURE WAY TO REQUIRE SSL
# /htaccess/apache-ssl-in-htaccess-examples.html
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "askapache.com"

ErrorDocument 403 https://askapache.com
## COMBINED DEVELOPER HTACCESS CODE-USE THIS
<FilesMatch "\.(flv|gif|jpg|jpeg|png|ico|js|css|pdf|swf|html|htm|txt)$">
</FilesMatch>
AuthType basic
AuthName "Ooops! Temporarily Under Construction..."
Require valid-user
# password prompt for everyone else
Order Deny,Allow
Deny from all
Allow from 192.168.64.5 # Your, the developers IP address
Allow from w3.org
# css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com # Allows google to crawl your pages
Satisfy Any
# no password required if host/ip is Allowed
## DONT HAVE TO EMPTY CACHE OR RELOAD TO SEE CHANGES
ExpiresDefault A5 #If using mod_expires
<FilesMatch "\.(flv|gif|jpg|jpeg|png|ico|js|css|pdf|swf|html|htm|txt)$">
</FilesMatch>
## ALLOW ACCESS WITH PASSWORD OR NO PASSWORD FOR SPECIFIC IP/HOSTS
AuthType basic
AuthName "Ooops! Temporarily Under Construction..."
Require valid-user
# password prompt for everyone else
Order Deny,Allow
Deny from all
Allow from 192.168.64.5 # Your, the developers IP address
Allow from w3.org
# css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com # Allows google to crawl your pages
Satisfy Any
# no password required if host/ip is Allowed
-----------------------------------------------------------------------Advanced Mod_Rewrites
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Advanced_Mod_Rewr
ites> ^
Here are some specific htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html> examples
taken mostly from my WordPress Password Protection plugin, which does
alot more than password protection as you will see from the following
mod_rewrite examples. These are a few of the mod_rewrite uses that
BlogSecurity declared *pushed the boundaries of Mod_Rewrite!* Some of
these snippets are quite exotic and unlike anything you may have seen
before, also only for those who understand them as they can kill a
website pretty quick.
Directory Protection
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Directory_Prote
ction> ^
Enable the DirectoryIndex Protection, preventing directory index
listings and defaulting. [Disable
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html>]
Options -Indexes
DirectoryIndex index.html index.php /index.php
Password Protect wp-login.php
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Password_Protec
t_wp-login-php> ^
Requires a valid user/pass to access the login page[401
<http://www.askapache.com/htaccess/apache-status-code-headers-errordocument.html
#status-401>]
<Files wp-login.php>
Order Deny,Allow
Deny from All
Satisfy Any
AuthName "Protected By AskApache"
AuthUserFile /web/askapache.com/.htpasswda1
AuthType Basic
Require valid-user
</Files>
Password Protect wp-admin
t_wp-admin> ^
Requires a valid user/pass to access any non-static (css, js, images)
file in this directory.[401
#status-401>]
Options -ExecCGI -Indexes +FollowSymLinks -Includes
DirectoryIndex index.php /index.php
Order Deny,Allow
Deny from All
Satisfy Any
AuthName "Protected By AskApache"
AuthUserFile /web/askapache.com/.htpasswda1
AuthType Basic
Require valid-user
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)
$">
Allow from All
</FilesMatch>
<FilesMatch "(async-upload)\.php$">
<IfModule mod_security.c>
SecFilterEngine Off
</IfModule>
Allow from All
</FilesMatch>
Protect wp-content
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Protect_wp-cont
ent> ^
Denies any Direct request for files ending in .php with a 403
Forbidden.. May break plugins/themes [401
#status-401>]
RewriteCond
RewriteCond
RewriteCond
RewriteRule
%{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]

%{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
%{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
.* - [F,NS,L]
Protect wp-includes
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Protect_wp-incl
udes> ^
Denies any Direct request for files ending in .php with a 403
Forbidden.. May break plugins/themes [403
#status-403>]
RewriteCond
RewriteCond
RewriteCond
RewriteRule
> ^
%{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]

%{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
%{REQUEST_FILENAME} ^.+\.php$
.* - [F,NS,L]
Common Exploits
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Common_Exploits
Block common exploit requests with 403 Forbidden. These can help alot,
may break some plugins. [403
#status-403>]
RewriteCond %{REQUEST_URI}
ludes/).* [NC]
RewriteCond %{THE_REQUEST}
[NC,OR]
TTP/ [NC]
RewriteRule .* - [F,NS,L]
> ^
!^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-inc
^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/
^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ H
Stop Hotlinking
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Stop_Hotlinking
Denies any request for static files (images, css, etc) if referrer is
not local site or empty. [403
#status-403>]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-inc
ludes/).* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.askapache.com.*$ [NC]
RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$
- [F,NS,L]
Safe Request Methods
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Safe_Request_Me
thods> ^
Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD
<http://www.askapache.com/online-tools/request-method-scanner/>[403
#status-403>]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
Forbid Proxies
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Forbid_Proxies>
Denies any POST Request using a Proxy Server. Can still access site, but
not comment. See Perishable Press
<http://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-htac
cess/>
[403
#status-403>]
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_
FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIE
NT_IP} !^$
ludes/).* [NC]
Real wp-comments-post.php
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Real_wp-comment
s-post-php> ^
Denies any POST attempt made to a non-existing wp-comments-post.php[403
#status-403>]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
HTTP PROTOCOL
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#HTTP_PROTOCOL>
Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1
only[403
#status-403>]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
SPECIFY CHARACTERS
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#SPECIFY_CHARACT
ERS> ^
Denies any request for a url containing characters other than

"a-zA-Z0-9.+/-?=&" - REALLY helps but may break your site depending on
your links. [403
#status-403>]
ludes/).* [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
BAD Content Length
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#BAD_Content_Len
gth> ^
Denies any POST request that doesnt have a Content-Length Header[403

#status-403>]
RewriteCond
RewriteCond
RewriteCond
]
RewriteRule
e> ^
%{REQUEST_METHOD} =POST
%{HTTP:Content-Length} ^$
%{REQUEST_URI} !^/(wp-admin/|wp-content/plugins/|wp-includes/).* [NC
.* - [F,NS,L]
BAD Content Type

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#BAD_Content_Typ
Denies any POST request with a content type other than

application/x-www-form-urlencoded|multipart/form-data[403
#status-403>]

RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/
form-data.*(boundary.*)?)$ [NC]
ludes/).* [NC]
ST> ^
Missing HTTP_HOST
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Missing_HTTP_HO
Denies requests that dont contain a HTTP HOST Header.[403

#status-403>]
ludes/).* [NC]
RewriteCond %{HTTP_HOST} ^$
Bogus Graphics Exploit
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Bogus_Graphics_
Exploit> ^
Denies obvious exploit using bogus graphics[403
#status-403>]
RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
No UserAgent, Not POST

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#UserAgent_POST>
Denies POST requests by blank user-agents. May prevent a small number of

visitors from POSTING. [403
#status-403>]
RewriteCond %{HTTP_USER_AGENT} ^-?$
ludes/).* [NC]
> ^
No Referer, No Comment
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Referer_Comment
Denies any comment attempt with a blank HTTP_REFERER field, highly
indicative of spam. May prevent some visitors from POSTING. [403

#status-403>]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteCond %{HTTP_REFERER} ^-?$
Trackback Spam
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Trackback_Spam>
Denies obvious trackback spam. See Holy Shmoly! [403

#status-403>]
RewriteCond
RewriteCond
RewriteCond
RewriteRule
%{REQUEST_METHOD} =POST
%{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
%{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC]
.* - [F,NS,L]
Map all URIs except those corresponding to existing files to a

handler
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Map_URIs_existi
ng_files_handler> ^
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteRule . /script.php
Map any request to a handler
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Map_request_han
dler> ^
In the case where all URIs should be sent to the same place (including
potentially requests for static content) the method to use depends on
the type of the handler. For php scripts, use:For other handlers such as
php scripts, use:
RewriteEngine On
RewriteCond %{REQUEST_URI} !=/script.php
RewriteRule .* /script.php
And for CGI scripts:
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#CGI_scripts> ^
ScriptAliasMatch .* /var/www/script.cgi
Map URIs corresponding to existing files to a handler instead
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Map_URIs_existi
ng_files_handler-s0> ^
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR]
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f
RewriteCond %{REQUEST_URI} !=/script.php
RewriteRule .* /script.php
If the existing files you wish to have handled by your script have a
common set of file extensions distinct from that of the hander, you can
bypass mod_rewrite and use instead mod_actions. Let's say you want all
.html and .tpl files to be dealt with by your script:
Action foo-action /script.php
AddHandler foo-action html tpl
Deny access if var=val contains the string foo.
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Deny_access_var
val_string_foo> ^
RewriteCond %{QUERY_STRING} foo
RewriteRule ^/url - [F]
Removing the Query String
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Removing_Query_
String> ^
RewriteRule ^/url /url?
Adding to the Query String
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Adding_Query_St
ring> ^
Keep the existing query string using the Query String Append flag, but
add var=val to the end.
RewriteRule ^/url /url?var=val [QSA]
Rewriting For Certain Query Strings
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Rewriting_Query
_Strings> ^
Rewrite URLs like http://askapache.com/url1?var=val to
http://askapache.com/url2?var=val but don't rewrite if val isn't present.
RewriteCond %{QUERY_STRING} val
RewriteRule ^/url1 /url2
Modifying the Query String
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Modifying_Query
_String> ^
Change any single instance of val in the query string to other_val when
accessing /path. Note that %1 and %2 are back-references to the matched
part of the regular expression in the previous RewriteCond.
RewriteCond %{QUERY_STRING} ^(.*)val(.*)$
RewriteRule /path /path?%1other_val%2
------------------------------------------------------------------------
> ^
Best .htaccess Articles

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Articles
.htaccess for Webmasters

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Webmas
ters> ^
* Process certain requests for files using a cgi script
<http://www.askapache.com/htaccess/htaccess-for-webmasters.html#process-file
-through-cgi>
* Process Requests with certain Request Methods
<http://www.askapache.com/htaccess/htaccess-for-webmasters.html#process-requ
est-methods-with-script>
* Make any file be a certain filetype
<http://www.askapache.com/htaccess/htaccess-for-webmasters.html#force-filety
pe-with-forcetype>
* Use IfModule directive for robust code
<http://www.askapache.com/htaccess/htaccess-for-webmasters.html#ifmodule-inapache>
Mod_Rewrite URL Rewriting
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Mod_Rewrite_URL
_Rewriting> ^
<http://www.askapache.com/htaccess/crazy-advanced-mod_rewrite-tutorial.html#deco
ded>Undocumented
techniques and methods will allow you to utilize mod_rewrite at an
"expert level" by showing you how to unlock its secrets
<http://www.askapache.com/htaccess/crazy-advanced-mod_rewrite-tutorial.html#deco
ded>.
* Check for a key in QUERY_STRING
<http://www.askapache.com/htaccess/modrewrite-tips-tricks.html#check-for-key
-in-query-string>
* Block access to files during certain hours of the day
<http://www.askapache.com/htaccess/modrewrite-tips-tricks.html#time-based-ac
cess>
* Rewrite underscores to hyphens for SEO URL
<http://www.askapache.com/htaccess/modrewrite-tips-tricks.html#convert-under
score-hyphen>
* Redirecting Wordpress Feeds to Feedburner
<http://www.askapache.com/htaccess/modrewrite-tips-tricks.html#redirect-word
press-feed>
301 Redirects without mod_rewrite
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#301_Redirects_m
od_rewrite> ^
* Redirect single url
<http://www.askapache.com/htaccess/seo-search-engine-friendly-redirects-with
out-mod_rewrite.html#seo-301-redirect-single-file>
* Redirect to new Domain
<http://www.askapache.com/htaccess/seo-search-engine-friendly-redirects-with
out-mod_rewrite.html#seo-301-redirect-new-domain>
Secure PHP with .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Secure_PHP_htac
cess> ^
Locking down your php.ini and php cgi with .htaccess
<http://www.askapache.com/htaccess/php-cgi-redirect_status.html>If you
have a php.cgi or php.ini file in your /cgi-bin/ directory or other pub
directory, try requesting them from your web browser. If your php.ini
shows up or worse you are able to execute your php cgi, you'll need to
secure it ASAP. This shows several ways to secure these files, and other
interpreters like perl, fastCGI, bash, csh, etc.
.htaccess Cookie Manipulation
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Cookie
_Manipulation> ^
Cookie Manipulation in .htaccess with RewriteRule
<http://www.askapache.com/htaccess/htaccess-fresh.html>*Fresh .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html> code* for
you! Check out the Cookie Manipulation and environment variable usage
with mod_rewrite! I also included a couple Mod_Security .htaccess
examples. *Enjoy!*
* Mod_Rewrite .htaccess Examples
<http://www.askapache.com/htaccess/htaccess-fresh.html#modrewrite1>
* Cookie Manipulation and Tests with mod_rewrite
* Setting Environment Variables
* Using the Environment Variable
* Mod_Security .htaccess Examples
g> ^
.htaccess Caching
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#htaccess_Cachin
>
* Speed Up Sites with htaccess Caching

<http://www.askapache.com/htaccess/speed-up-sites-with-htaccess-caching.html
* htaccess time cheat sheet

<http://www.askapache.com/htaccess/speed-up-your-site-with-caching-and-cache
-control.html#htaccess-time-cheatsheet>
Password Protection and Authentication
tion_Authentication> ^
* Require password for single file
<http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html#re
quire-password-for-single-file>
* Example .htaccess file for password protection
<http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html#sk
eleton-htaccess>
Control HTTP Headers
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Control_HTTP_He
aders> ^
* Prevent Caching 100%
<http://www.askapache.com/htaccess/using-http-headers-with-htaccess.html#pre
vent-caching-with-htaccess>
* Remove IE imagetoolbar without meta tag
<http://www.askapache.com/htaccess/using-http-headers-with-htaccess.html#rem
ove-ie-imagetoolbar>
* Add Privacy (P3P) Header to your site
<http://www.askapache.com/htaccess/using-http-headers-with-htaccess.html#pri
vacy-p3p-header-in-apache>
* Add language and charset headers without meta tags
<http://www.askapache.com/htaccess/using-http-headers-with-htaccess.html#lan
guage-and-content-header-in-htaccess>
Blocking Spam and bad Bots
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Blocking_Spam_b
ad_Bots> ^
Block Bad Robot
<http://www.askapache.com/htaccess/blocking-bad-bots-and-scrapers-with-htaccess.
html>Want
to block a bad robot or web scraper using .htaccess files? Here are 2
methods that illustrate blocking 436 various user-agents. You can block
them using either SetEnvIf methods, or by using Rewrite Blocks.
ps> ^
PHP htaccess tips

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#PHP_htaccess_ti
By using some cool .htaccess tricks we can control PHP to be run as a

cgi or a module. If php is run as a cgi then we need to compile it
ourselves or use .htaccess to force php to use a local php.ini file. If

it is running as a module then we can use various directives supplied by
that modules in .htaccess
* When php run as CGI
<http://www.askapache.com/htaccess/php-htaccess-tips-and-tricks.html#php-run
-as-cgi>
* Use a custom php.ini with mod_php or php as a cgi
<http://www.askapache.com/htaccess/php-htaccess-tips-and-tricks.html#htacces
s-php-ini>
* When php run as Apache Module (mod_php)
<http://www.askapache.com/htaccess/php-htaccess-tips-and-tricks.html#sub-mod
_php>
* When cgi php is run with wrapper (FastCGI)
<http://www.askapache.com/htaccess/php-htaccess-tips-and-tricks.html#php-and
-fastcgi-in-htaccess>
HTTP to HTTPS Redirects with mod_rewrite
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#HTTP_HTTPS_Redi
rects_mod_rewrite> ^
HTTP to HTTPS Redirects with mod_rewrite
<http://www.askapache.com/htaccess/http-https-rewriterule-redirect.html>This
is freaking sweet if you use SSL I promise you! Basically instead of
having to check for HTTPS using a |RewriteCond %{HTTPS} =on| for every
redirect that can be either HTTP or HTTPS, I set an environment variable
once with the value "http" or "https" if HTTP or HTTPS is being used for
that request, and use that env variable in the RewriteRule.
SSL in .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#SSL_htaccess> ^
* Redirect non-https requests to https server
<http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess.html#redire
ct-http-to-https>
* Rewrite non-https to HTTPS without mod_ssl!
<http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess.html#rewrit
e-http-to-https-no-mod_ssl>
* Redirect everything served on port 80 to HTTPS URI
<http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess.html#redire
ct-port-80-to-https>
SetEnvIf and SetEnvIfNoCase in .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#SetEnvIf_SetEnv
IfNoCase_htaccess> ^
* Unique mod_setenvif Variables
<http://www.askapache.com/htaccess/setenvif.html#setenvif-variables>
* Populates HTTP_MY_ Variables with mod_setenvif variable values
<http://www.askapache.com/htaccess/setenvif.html#http-headers>
* Allows only if HOST Header is present in request
<http://www.askapache.com/htaccess/setenvif.html#allow-host>
* Add values from HTTP Headers
<http://www.askapache.com/htaccess/setenvif.html#header-copy>
Site Security with .htaccess

<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Site_Security_h
taccess> ^
chmod .htpasswd files 640, chmod .htaccess 644, php files 600, and chmod
files that you really dont want people to see as 400. (NEVER chmod 777,
try 766)
* CHMOD your files
<http://www.askapache.com/htaccess/security-with-htaccess.html#chmod-htacces
s-info>
* Prevent access to .htaccess and .htpasswd files
<http://www.askapache.com/htaccess/security-with-htaccess.html#deny-htaccess
-htpasswd-access>
* Show Source Code instead of executing
<http://www.askapache.com/htaccess/security-with-htaccess.html#show-source-c
ode>
* Securing directories: Remove ability to execute scripts
<http://www.askapache.com/htaccess/security-with-htaccess.html#securing-dire
ctories-with-htaccess>
* .htaccess ErrorDocuments
<http://www.askapache.com/htaccess/security-with-htaccess.html#errordocument
-usage-in-htaccess>
Merging Notes
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Merging_Notes>
The order of merging is:

1. |<Directory>| (except regular expressions) and .htaccess done
simultaneously (with .htaccess, if allowed, overriding |<Directory>|)
2. |<DirectoryMatch>| (and |<Directory ~>|)
3. |<Files>| and |<FilesMatch>| done simultaneously
4. |<Location>| and |<LocationMatch>| done simultaneously
My Favorite .htaccess Links
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Favorite_htaccess
_Links> ^
These are just some of my favorite .htaccess resources. I'm really into
doing your own hacking to get knowledge and these links are all great
resources in that respect. I'm really interested in new or unusual
htaccess solutions or htaccess hacks using .htaccess files, so let me
know if you find one.
*NCSA HTTPd Tutorials*
*Robert Hansen*
Here's a great Hardening HTAccess part 1
<http://www.securityfocus.com/infocus/1368>, part 2
<http://www.securityfocus.com/infocus/1369>, part 3
<http://www.securityfocus.com/infocus/1370> article that goes into
detail about some of the rarer security applications for .htaccess files.
*SAMAXES*
Some very detailed and helpful .htaccess articles, such as the
".htaccess - gzip and cache your site for faster loading and bandwidth
saving."
<http://www.samaxes.com/2008/04/20/htaccess-gzip-and-cache-your-site-for-fasterloading-and-bandwidth-saving/>
*PerishablePress*
Stupid .htaccess tricks
<http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/> is
probably the *best explanation online* for many of the best .htaccess
solutions, including many from this page. Unlike me they are fantastic
writers, even for technical stuff they are very readable, so its a good
blog to kick back on and read. They also have a fantastic article
<http://perishablepress.com/press/2009/02/03/eight-ways-to-blacklist-with-apache
s-mod_rewrite/>
detailing how to block/deny specific requests using mod_rewrite.
*BlogSecurity*
Mostly a site for... blog security (which is really any web-app
security) this blog has a few really impressive articles full of solid
information for Hardening WordPress with .htaccess among more advanced
topics that can be challenging but effective. This is a good site to
subscribe to their feed, they publish plugin exploits and wordpress core
vulnerabilities quite a bit.
*Check-These*
Oldschool security/unix dude with some incredibly detailed mod_rewrite
tutorials, helped me the most when I first got into this, and a great
guy too. See: Basic Mod_Rewrite Guide
<http://check-these.info/mod_rewrite-basic.html>, and Advanced
Mod_Rewrite Tutorial <http://check-these.info/RewriteRule.html>
*Reaper-X*
Alot of .htaccess tutorials and code. See: Hardening Wordpress with Mod
Rewrite and htaccess
<http://www.reaper-x.com/2007/09/01/hardening-wordpress-with-mod-rewrite-and-hta
ccess/>
*jdMorgan*
jdMorgan
<http://www.webmasterworld.com/profilev4.cgi?action=view&member=jdMorgan> is
the Moderator of the Apache Forum
<http://www.webmasterworld.com/apache/> at WebmasterWorld, a great place
for answers. In my experience he can answer any tough question
pertaining to advanced .htaccess usage, haven't seen him stumped yet.
*The W3C*
Setting Charset in .htaccess
<http://www.w3.org/International/questions/qa-htaccess-charset> is very
informative.
*Holy Shmoly!*
A great blogger with analysis of attacks and spam. See: More ways to
stop spammers and unwanted traffic.
*Apache Week*
A partnership with Red Hat back in the 90's that produced some excellent
documentation <http://www.apacheweek.com/features/userauth>.
*Corz*
Here's a resource that I consider to have some of the most creative and
ingenious ideas for .htaccess files, although the author is somewhat of
a character ;) Its a trip trying to navigate around the site, a fun
trip. Its like nothing I've ever seen. There are only a few articles on
the site, but the htaccess articles are very original and well-worth a
look. See: htaccess tricks and tips
<http://corz.org/serv/tricks/htaccess.php>.
-----------------------------------------------------------------------Htaccess Directives
es-s0> ^
This is an AskApache.com exclusive /you won't find this anywhere else/.
Directory, DirectoryMatch, Files, FilesMatch, IfDefine, IfVersion,
IfModule, Limit, LimitExcept, Location, LocationMatch, Proxy,
ProxyMatch, VirtualHost, AcceptMutex, AcceptPathInfo, AccessFileName,
Action, AddCharset, AddDefaultCharset, AddDescription, AddEncoding,
AddHandler, AddInputFilter, AddLanguage, AddOutputFilter,
AddOutputFilterByType, AddType, Alias, AliasMatch, AllowCONNECT,
AllowOverride, Anonymous, Anonymous_Authoritative, Anonymous_LogEmail,
Anonymous_MustGiveEmail, Anonymous_NoUserId, Anonymous_VerifyEmail,
AuthAuthoritative, AuthDBMAuthoritative, AuthDBMGroupFile, AuthDBMType,
AuthDBMUserFile, AuthDigestAlgorithm, AuthDigestDomain, AuthDigestFile,
AuthDigestGroupFile, AuthDigestNcCheck, AuthDigestNonceFormat,
AuthDigestNonceLifetime, AuthDigestQop, AuthDigestShmemSize,
AuthGroupFile, AuthName, AuthType, AuthUserFile, BS2000Account,
BrowserMatch, BrowserMatchNoCase, CacheNegotiatedDocs, CharsetDefault,
CharsetOptions, CharsetSourceEnc, CheckSpelling, ContentDigest,
CookieDomain, CookieExpires, CookieName, CookieStyle, CookieTracking,
CoreDumpDirectory, DAV, DAVDepthInfinity, DAVMinTimeout, DefaultIcon,
DefaultLanguage, DefaultType, DocumentRoot, ErrorDocument, ErrorLog,
ExtFilterDefine, ExtFilterOptions, FancyIndexing, FileETag,
ForceLanguagePriority, ForceType, GprofDir, Header, HeaderName,
HostnameLookups, IdentityCheck, ImapBase, ImapDefault, ImapMenu,
Include, IndexIgnore, LanguagePriority, LimitRequestBody,
LimitRequestFields, LimitRequestFieldsize, LimitRequestLine,
LimitXMLRequestBody, LockFile, LogLevel, MaxRequestsPerChild,
MultiviewsMatch, NameVirtualHost, NoProxy, Options, PassEnv, PidFile,
Port, ProxyBlock, ProxyDomain, ProxyErrorOverride, ProxyIOBufferSize,
ProxyMaxForwards, ProxyPass, ProxyPassReverse, ProxyPreserveHost,
ProxyReceiveBufferSize, ProxyRemote, ProxyRemoteMatch, ProxyRequests,
ProxyTimeout, ProxyVia, RLimitCPU, RLimitMEM, RLimitNPROC, ReadmeName,
Redirect, RedirectMatch, RedirectPermanent, RedirectTemp, RemoveCharset,
RemoveEncoding, RemoveHandler, RemoveInputFilter, RemoveLanguage,
RemoveOutputFilter, RemoveType, RequestHeader, Require, RewriteCond,
RewriteRule, SSIEndTag, SSIErrorMsg, SSIStartTag, SSITimeFormat,
SSIUndefinedEcho, Satisfy, ScoreBoardFile, Script, ScriptAlias,
ScriptAliasMatch, ScriptInterpreterSource, ServerAdmin, ServerAlias,
ServerName, ServerPath, ServerRoot, ServerSignature, ServerTokens,
SetEnv, SetEnvIf, SetEnvIfNoCase, SetHandler, SetInputFilter,
SetOutputFilter, Timeout, TypesConfig, UnsetEnv, UseCanonicalName,
XBitHack, allow, deny, order, CGIMapExtension, EnableMMAP,
ISAPIAppendLogToErrors, ISAPIAppendLogToQuery, ISAPICacheFile,

ISAPIFakeAsync, ISAPILogNotSupported, ISAPIReadAheadBuffer, SSLLog,
SSLLogLevel, MaxMemFree, ModMimeUsePathInfo, EnableSendfile,
ProxyBadHeader, AllowEncodedSlashes, LimitInternalRecursion,
EnableExceptionHook, TraceEnable, ProxyFtpDirCharset,
AuthBasicAuthoritative, AuthBasicProvider, AuthDefaultAuthoritative,
AuthDigestProvider, AuthLDAPAuthzEnabled, AuthLDAPBindDN,
AuthLDAPBindPassword, AuthLDAPCharsetConfig, AuthLDAPCompareDNOnServer,
AuthLDAPDereferenceAliases, AuthLDAPGroupAttribute,
AuthLDAPGroupAttributeIsDN, AuthLDAPRemoteUserIsDN, AuthLDAPURL,
AuthzDBMAuthoritative, AuthzDBMType, AuthzDefaultAuthoritative,
AuthzGroupFileAuthoritative, AuthzLDAPAuthoritative,
AuthzOwnerAuthoritative, AuthzUserAuthoritative, BalancerMember,
DAVGenericLockDB, FilterChain, FilterDeclare, FilterProtocol,
FilterProvider, FilterTrace, IdentityCheckTimeout, IndexStyleSheet,
ProxyPassReverseCookieDomain, ProxyPassReverseCookiePath, ProxySet,
ProxyStatus, ThreadStackSize, AcceptFilter, Protocol,
AuthDBDUserPWQuery, AuthDBDUserRealmQuery, UseCanonicalPhysicalPort,
CheckCaseOnly, AuthLDAPRemoteUserAttribute, ProxyPassMatch,
SSIAccessEnable, Substitute, ProxyPassInterpolateEnv
------------------------------------------------------------------------
Htaccess Modules
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Modules>
Here are most of the modules that come with Apache. Each one can have
new commands that can be used in .htaccess file scopes.
mod_actions <http://www.askapache.com/servers/mod_actions.c.html>,
mod_alias <http://www.askapache.com/servers/mod_alias.c.html>, mod_asis
<http://www.askapache.com/servers/mod_asis.c.html>, mod_auth_basic
<http://www.askapache.com/servers/mod_auth_basic.c.html>,
mod_auth_digest
<http://www.askapache.com/servers/mod_auth_digest.c.html>,
mod_authn_anon <http://www.askapache.com/servers/mod_authn_anon.c.html>,
mod_authn_dbd <http://www.askapache.com/servers/mod_authn_dbd.c.html>,
mod_authn_dbm <http://www.askapache.com/servers/mod_authn_dbm.c.html>,
mod_authn_default
<http://www.askapache.com/servers/mod_authn_default.c.html>,
mod_authn_file <http://www.askapache.com/servers/mod_authn_file.c.html>,
mod_authz_dbm <http://www.askapache.com/servers/mod_authz_dbm.c.html>,
mod_authz_default
<http://www.askapache.com/servers/mod_authz_default.c.html>,
mod_authz_groupfile
<http://www.askapache.com/servers/mod_authz_groupfile.c.html>,
mod_authz_host <http://www.askapache.com/servers/mod_authz_host.c.html>,
mod_authz_owner
<http://www.askapache.com/servers/mod_authz_owner.c.html>,
mod_authz_user <http://www.askapache.com/servers/mod_authz_user.c.html>,
mod_autoindex <http://www.askapache.com/servers/mod_autoindex.c.html>,
mod_cache <http://www.askapache.com/servers/mod_cache.c.html>,
mod_cern_meta <http://www.askapache.com/servers/mod_cern_meta.c.html>,
mod_cgi <http://www.askapache.com/servers/mod_cgi.c.html>, mod_dav
<http://www.askapache.com/servers/mod_dav.c.html>, mod_dav_fs
<http://www.askapache.com/servers/mod_dav_fs.c.html>, mod_dbd
<http://www.askapache.com/servers/mod_dbd.c.html>, mod_deflate
<http://www.askapache.com/servers/mod_deflate.c.html>, mod_dir
<http://www.askapache.com/servers/mod_dir.c.html>, mod_disk_cache
<http://www.askapache.com/servers/mod_disk_cache.c.html>, mod_dumpio
<http://www.askapache.com/servers/mod_dumpio.c.html>, mod_env
<http://www.askapache.com/servers/mod_env.c.html>, mod_expires
<http://www.askapache.com/servers/mod_expires.c.html>, mod_ext_filter
<http://www.askapache.com/servers/mod_ext_filter.c.html>, mod_file_cache
<http://www.askapache.com/servers/mod_file_cache.c.html>, mod_filter
<http://www.askapache.com/servers/mod_filter.c.html>, mod_headers
<http://www.askapache.com/servers/mod_headers.c.html>, mod_ident
<http://www.askapache.com/servers/mod_ident.c.html>, mod_imagemap
<http://www.askapache.com/servers/mod_imagemap.c.html>, mod_include
<http://www.askapache.com/servers/mod_include.c.html>, mod_info
<http://www.askapache.com/servers/mod_info.c.html>, mod_log_config
<http://www.askapache.com/servers/mod_log_config.c.html>,
mod_log_forensic
<http://www.askapache.com/servers/mod_log_forensic.c.html>, mod_logio
<http://www.askapache.com/servers/mod_logio.c.html>, mod_mem_cache
<http://www.askapache.com/servers/mod_mem_cache.c.html>, mod_mime
<http://www.askapache.com/servers/mod_mime.c.html>, mod_mime_magic
<http://www.askapache.com/servers/mod_mime_magic.c.html>,
mod_negotiation
<http://www.askapache.com/servers/mod_negotiation.c.html>, mod_proxy
<http://www.askapache.com/servers/mod_proxy.c.html>, mod_proxy_ajp
<http://www.askapache.com/servers/mod_proxy_ajp.c.html>,
mod_proxy_balancer
<http://www.askapache.com/servers/mod_proxy_balancer.c.html>,
mod_proxy_connect
<http://www.askapache.com/servers/mod_proxy_connect.c.html>,
mod_proxy_ftp <http://www.askapache.com/servers/mod_proxy_ftp.c.html>,
mod_proxy_http <http://www.askapache.com/servers/mod_proxy_http.c.html>,
mod_rewrite <http://www.askapache.com/servers/mod_rewrite.c.html>,
mod_setenvif <http://www.askapache.com/servers/mod_setenvif.c.html>,
mod_speling <http://www.askapache.com/servers/mod_speling.c.html>,
mod_ssl <http://www.askapache.com/servers/mod_ssl.c.html>, mod_status
<http://www.askapache.com/servers/mod_status.c.html>, mod_substitute
<http://www.askapache.com/servers/mod_substitute.c.html>, mod_unique_id
<http://www.askapache.com/servers/mod_unique_id.c.html>, mod_userdir
<http://www.askapache.com/servers/mod_userdir.c.html>, mod_usertrack
<http://www.askapache.com/servers/mod_usertrack.c.html>, mod_version
<http://www.askapache.com/servers/mod_version.c.html>, mod_vhost_alias
<http://www.askapache.com/servers/mod_vhost_alias.c.html>
------------------------------------------------------------------------
> ^
Htaccess Software
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Htaccess_Software
Apache HTTP Server comes with the following programs

<http://httpd.apache.org/docs/trunk/programs/>.
|httpd|
Apache hypertext transfer protocol server
|apachectl|
Apache HTTP server control interface
|ab|
Apache HTTP server benchmarking tool
|apxs|
APache eXtenSion tool
|dbmmanage|
Create and update user authentication files in DBM format for basic
authentication
|fcgistarter|
Start a FastCGI program
|htcacheclean|
Clean up the disk cache
|htdigest|
Create and update user authentication files for digest authentication
|htdbm|
Manipulate DBM password databases.
|htpasswd|
Create and update user authentication files for basic authentication
|httxt2dbm|
Create dbm files for use with RewriteMap
|logresolve|
Resolve hostnames for IP-addresses in Apache logfiles
log_server_status
Periodically log the server's status
|rotatelogs|
Rotate Apache logs without having to kill the server
split-logfile
Split a multi-vhost logfile into per-host logfiles
|suexec|
Switch User For Exec
Technical Look at .htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Technical_htacces
s> ^
Source: Apache API notes <http://httpd.apache.org/docs/1.3/misc/API.html>

Per-directory configuration structures
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Per-directory_c
onfiguration_structures> ^
Let's look out how all of this plays out in mod_mime.c, which defines
the file typing handler which emulates the NCSA server's behavior of
determining file types from suffixes. What we'll be looking at, here, is
the code which implements the AddType and AddEncoding commands. These
commands can appear in .htaccess files, so they must be handled in the
module's private per-directory data, which in fact, consists of two
separate tables for MIME types and encoding information, and is declared
as follows:
table *forced_types;
table *encoding_types;
mime_dir_config;
/* Additional AddTyped stuff */

/* Added with AddEncoding... */
When the server is reading a configuration file, or <Directory> section,

which includes one of the MIME module's commands, it needs to create a
mime_dir_config structure, so those commands have something to act on.
It does this by invoking the function it finds in the module's `create
per-dir config slot', with two arguments: the name of the directory to
which this configuration information applies (or NULL for srm.conf), and
a pointer to a resource pool in which the allocation should happen.
(If we are reading a .htaccess file, that resource pool is the
per-request resource pool for the request; otherwise it is a resource
pool which is used for configuration data, and cleared on restarts.
Either way, it is important for the structure being created to vanish
when the pool is cleared, by registering a cleanup on the pool if
necessary).
For the MIME module, the per-dir config creation function just
ap_pallocs the structure above, and a creates a couple of tables to fill
it. That looks like this:
void *create_mime_dir_config (pool *p, char *dummy)
mime_dir_config *new = (mime_dir_config *) ap_palloc (p, sizeof(mime_dir_config)
);
new->forced_types = ap_make_table (p, 4);
new->encoding_types = ap_make_table (p, 4);
Now, suppose we've just read in a .htaccess file. We already have the
per-directory configuration structure for the next directory up in the
hierarchy. If the .htaccess file we just read in didn't have any AddType
or AddEncoding commands, its per-directory config structure for the MIME
module is still valid, and we can just use it. Otherwise, we need to
merge the two structures somehow.
To do that, the server invokes the module's per-directory config merge
function, if one is present. That function takes three arguments: the
two structures being merged, and a resource pool in which to allocate
the result. For the MIME module, all that needs to be done is overlay
the tables from the new per-directory config structure with those from
the parent:
void *merge_mime_dir_configs (pool *p, void *parent_dirv, void *subdirv)
mime_dir_config *parent_dir = (mime_dir_config *)parent_dirv;
mime_dir_config *subdir = (mime_dir_config *)subdirv;
mime_dir_config *new = (mime_dir_config *)ap_palloc (p, sizeof(mime_dir_config)
);
new->forced_types = ap_overlay_tables (p, subdir->forced_types, parent_dir->forc
ed_types);
new->encoding_types = ap_overlay_tables (p, subdir->encoding_types, parent_dir->
encoding_types);
As a note --- if there is no per-directory merge function present, the
server will just use the subdirectory's configuration info, and ignore
the parent's. For some modules, that works just fine (e.g., for the
includes module, whose per-directory configuration information consists
solely of the state of the XBITHACK), and for those modules, you can
just not declare one, and leave the corresponding structure slot in the
module itself NULL.
g> ^
Command handling
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Command_handlin
Now that we have these structures, we need to be able to figure out how
to fill them. That involves processing the actual AddType and

AddEncoding commands. To find commands, the server looks in the module's
command table. That table contains information on how many arguments the
commands take, and in what formats, where it is permitted, and so forth.
That information is sufficient to allow the server to invoke most
command-handling functions with pre-parsed arguments. Without further
ado, let's look at the AddType command handler, which looks like this
(the AddEncoding command looks basically the same, and won't be shown here):
char *add_type(cmd_parms *cmd, mime_dir_config *m, char *ct, char *ext)
if (*ext == '.') ++ext;
ap_table_set (m->forced_types, ext, ct);
This command handler is unusually simple. As you can see, it takes four
arguments, two of which are pre-parsed arguments, the third being the
per-directory configuration structure for the module in question, and
the fourth being a pointer to a cmd_parms structure. That structure
contains a bunch of arguments which are frequently of use to some, but
not all, commands, including a resource pool (from which memory can be
allocated, and to which cleanups should be tied), and the (virtual)
server being configured, from which the module's per-server
configuration data can be obtained if required.
Another way in which this particular command handler is unusually simple
is that there are no error conditions which it can encounter. If there
were, it could return an error message instead of NULL; this causes an
error to be printed out on the server's stderr, followed by a quick
exit, if it is in the main config files; for a .htaccess file, the
syntax error is logged in the server error log (along with an indication
of where it came from), and the request is bounced with a server error
response (HTTP error status, code 500).
The MIME module's command table has entries for these commands, which
look like this:
command_rec mime_cmds[] =
{ "AddType", add_type, NULL, OR_FILEINFO, TAKE2, "a mime type followed by a file
extension" },
{ "AddEncoding", add_encoding, NULL, OR_FILEINFO, TAKE2, "an encoding (e.g., gzi
p), followed by a file extension" },
Here's a taste of that famous Apache source code that builds the
directives allowed in .htaccess file context, the key that tells whether
its enabled in .htaccess context is the DIR_CMD_PERMS and then the
OR_FILEINFO, which means a directive is enabled dependent on the
AllowOverride directive that is only allowed in the main config. First
Apache 1.3.0, then Apache 2.2.10
ex> ^
mod_autoindex
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#mod_autoind
AddIcon, add_icon, BY_PATH, DIR_CMD_PERMS, an icon URL followed by one or more f

ilenames
AddIconByType, add_icon, BY_TYPE, DIR_CMD_PERMS, an icon URL followed by one or
more MIME types
AddIconByEncoding, add_icon, BY_ENCODING, DIR_CMD_PERMS, an icon URL followed by
one or more content encodings
AddAlt, add_alt, BY_PATH, DIR_CMD_PERMS, alternate descriptive text followed by

one or more filenames
AddAltByType, add_alt, BY_TYPE, DIR_CMD_PERMS, alternate descriptive text follow
ed by one or more MIME types
AddAltByEncoding, add_alt, BY_ENCODING, DIR_CMD_PERMS, alternate descriptive tex
t followed by one or more content encodings
IndexOptions, add_opts, DIR_CMD_PERMS, RAW_ARGS, one or more index options
IndexIgnore, add_ignore, DIR_CMD_PERMS, ITERATE, one or more file extensions
AddDescription, add_desc, BY_PATH, DIR_CMD_PERMS, Descriptive text followed by o
ne or more filenames
HeaderName, add_header, DIR_CMD_PERMS, TAKE1, a filename
ReadmeName, add_readme, DIR_CMD_PERMS, TAKE1, a filename
FancyIndexing, fancy_indexing, DIR_CMD_PERMS, FLAG, Limited to 'on' or 'off' (su
perseded by IndexOptions FancyIndexing)
DefaultIcon, ap_set_string_slot, (void *) XtOffsetOf(autoindex_config_rec, defau
lt_icon), DIR_CMD_PERMS, TAKE1, an icon URL
> ^
mod_rewrite
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#mod_rewrite
// mod_rewrite
RewriteEngine, cmd_rewriteengine, OR_FILEINFO, On or Off to enable or disable (d
efault)
RewriteOptions, cmd_rewriteoptions, OR_FILEINFO, List of option strings to set
RewriteBase, cmd_rewritebase, OR_FILEINFO, the base URL of the per-directory con
text
RewriteCond, cmd_rewritecond, OR_FILEINFO, an input string and a to be applied r
egexp-pattern
RewriteRule, cmd_rewriterule, OR_FILEINFO, an URL-applied regexp-pattern and a s
ubstitution URL
RewriteMap, cmd_rewritemap, RSRC_CONF, a mapname and a filename
RewriteLock, cmd_rewritelock, RSRC_CONF, the filename of a lockfile used for int
er-process synchronization
RewriteLog, cmd_rewritelog, RSRC_CONF, the filename of the rewriting logfile
RewriteLogLevel, cmd_rewriteloglevel, RSRC_CONF, the level of the rewriting logf
ile verbosity (0=none, 1=std, .., 9=max)
RewriteLog, fake_rewritelog, RSRC_CONF, [DISABLED] the filename of the rewriting
logfile
RewriteLogLevel, fake_rewritelog, RSRC_CONF, [DISABLED] the level of the rewriti
ng logfile verbosity
The entries in these tables are:
* The name of the command
* The function which handles it a (void *) pointer, which is passed in
the cmd_parms structure to the command handler --- this is useful in
case many similar commands are handled by the same function.
* A bit mask indicating where the command may appear. There are mask
bits corresponding to each AllowOverride option, and an additional
mask bit, RSRC_CONF, indicating that the command may appear in the
server's own config files, but not in any .htaccess file.
* A flag indicating how many arguments the command handler wants
pre-parsed, and how they should be passed in. TAKE2 indicates two
pre-parsed arguments. Other options are TAKE1, which indicates one
pre-parsed argument, FLAG, which indicates that the argument should
be On or Off, and is passed in as a boolean flag, RAW_ARGS, which
causes the server to give the command the raw, unparsed arguments
(everything but the command name itself). There is also ITERATE,

which means that the handler looks the same as TAKE1, but that if
multiple arguments are present, it should be called multiple times,
and finally ITERATE2, which indicates that the command handler looks
like a TAKE2, but if more arguments are present, then it should be
called multiple times, holding the first argument constant.
* Finally, we have a string which describes the arguments that should
be present. If the arguments in the actual config file are not as
required, this string will be used to help give a more specific
error message. (You can safely leave this NULL).
Finally, having set this all up, we have to use it. This is ultimately
done in the module's handlers, specifically for its file-typing handler,
which looks more or less like this; note that the per-directory
configuration structure is extracted from the request_rec's
per-directory configuration vector by using the ap_get_module_config
function.
Side notes --- per-server configuration, virtual servers, etc.
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Side_notes_perserver_configuration_virtual> ^
The basic ideas behind per-server module configuration are basically the
same as those for per-directory configuration; there is a creation
function and a merge function, the latter being invoked where a virtual
server has partially overridden the base server configuration, and a
combined structure must be computed. (As with per-directory
configuration, the default if no merge function is specified, and a
module is configured in some virtual server, is that the base
configuration is simply ignored).
The only substantial difference is that when a command needs to
configure the per-server private module data, it needs to go to the
cmd_parms data to get at it. Here's an example, from the alias module,
which also indicates how a syntax error can be returned (note that the
per-directory configuration argument to the command handler is declared
as a dummy, since the module doesn't actually have per-directory config
data):
*Network Hardware Certification*
No doubt Cisco is way ahead then other network hardware and
certification providers. Most of fresh IT graduates are going for CCNA
640-802 exam <http://www.certshelp.com/640-802.html> in order to start
their career in the field of networking. While on the other hand, those
who are interested to be hardware technician are attempting CompTIA
sy0-301 <http://www.certshelp.com/sy0-301.html> Exam.
Litespeed Htaccess support
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#Litespeed_Htacc
ess_support> ^
Unlike other lightweight web servers, Apache compatible per-directory
configuration overridden is fully supported by LiteSpeed Web Server
<http://www.litespeedtech.com/>. With .htacess you can change
configurations for any directory under document root on-the-fly, which
in most cases is a mandatory feature in shared hosting environment. It

is worth noting that /enabling .htaccess support in LiteSpeed/ Web
Server will not degrade server's performance, comparing to Apache's 40%
drop in performance.
Continue Reading Page 2
<http://www.askapache.com/htaccess/htaccess-rewrite.html>
Tags ^ <file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#toc>
.htpasswd <http://www.askapache.com/tag/htpasswd/> 301 Redirect
<http://www.askapache.com/tag/301-redirect/> Apache
<http://www.askapache.com/tag/apache/> Cache
<http://www.askapache.com/tag/cache/> Hosting
<http://www.askapache.com/tag/hosting/> Htaccess
<http://www.askapache.com/tag/htaccess/> Htaccess Software
<http://www.askapache.com/tag/htaccess-software/> HTTP Headers
<http://www.askapache.com/tag/http-headers/> httpd.conf
<http://www.askapache.com/tag/httpd-conf/> mod_rewrite
<http://www.askapache.com/tag/mod_rewrite/> Redirect
<http://www.askapache.com/tag/redirect/> RewriteCond
<http://www.askapache.com/tag/rewritecond/> RewriteRule
<http://www.askapache.com/tag/rewriterule/> SSL
<http://www.askapache.com/tag/ssl/>
April 10th, 2014
Unicode Character Reference
<http://www.askapache.com/web-development/unicode-character-reference.html>Crazy
POWERFUL Bash Prompt
<http://www.askapache.com/linux/bash-power-prompt.html>
Comments Welcome ^
*
tenstar
That's perfect summary, very valuable for my next job of doing SEO
friendly urls through htaccess. Thank you.
Liam McDermott
Thanks for this article, it's great.
So great that we've made it 'sticky

<http://www.webmaster-forums.net/webmasters-corner/awesome-articles-and-reso
urces-webmasters>'
on The Webmaster Forums.
Now we don't have to repeat ourselves, just send people to this article!
*
Joost
Great list, it helps clear up much of the htacess mystery and
confusion that comes from creating such files.
htaccess
this does not seem to work ?
AuthName "htaccess password prompt"
AuthType Basic
Require valid-user
Allow from 172.17.10.1
Satisfy Any
It lets me in from any ip address ? I've managed to get it to work
like this (although may not be correct)
AuthName "htaccess password prompt"
AuthType Basic
Satisfy Any
order deny,allow
deny from all
Require valid-user
Allow from 172.17.10.1
I'm not sure if this is optimal however.
http://www.askapache.com/ AskApache
http://www.michiknows.com/2007/02/12/who-else-wants-to-hide-their-wordpressadmin-folder/
*
Grafikafe
very nice .htaccess doc, thank you man.
Jill
After three frustrating phone calls to the idiots at 1&1 hosting,
simply trying to help one of my clients get a redirect... I gave up
and asked my website hosting company, DreamHost for help. Their
article directed me to this site, which, solved the htaccess problem
with my client's site in a snap. Thank you so much for this!
Raymond S. Usbal
Thanks for putting this up. This htaccess guide is complete and
direct to the point. I like it!
Richard
This is very useful and powerful htaccess. It does help improve the
security of my wordpress. I will keep an eye of the updates.
http://htaccessrewrite.wordpress.com/ htaccess rewrite

htaccess rewrite, htaccess mod rewrite, php url rewrite, .htaccess
rewrite rule, .htaccess redirect post variables, mod rewrite
htaccess, hotlink code, rewrite url .htaccess, htaccess allow
indexes, htaccess tips tricks, .htaccess php require, .htaccess
php.ini, rewrite htaccess, htaccess rewrite rule, .htaccess mod rewrite
Hey your home page is a little out of control
*
http://httpd.apache.org/ Rich Bowen

Now even more! Love it.
.htaccess rewrite mask external link,htaccess mod rewrite error
page,how much does mod rewrite,.htaccess dynamic
directories,htaccess rewrite url,htaccess url,htaccess hide url,mod
rewrite php to htm
and
htaccess rewrite rule options,rewrite direct index link
htaccess,htaccess rewriterule,.htaccess mod_rewrite rules,convert
unix timestamp into date php,php to .html with htaccess
John
Hey, I am using the following code for /redirecting non www url to
www url/. Please let me know what code to add?
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
It work fine for the folowing url type
|example.com/restaurant.html|, If I have to redirect the following
non www url to www url |example.com/cms/restaurant.html|. When I hit
this url I get the following response:
"The requested URL /index.php was not found on this server."
Thanks,
John
Wilvic
I found your site about htaccess interesting and could help me from
what I'm doing.
I just have some question regarding htaccess.
I need to edit a webpage that already has a 'Contact Webpage' which
you can send some suggestion/comments.
It seems like this is the place where the post is directed. I
checked the directory |_vti_bin/| but it didn't have |shtml.exe|
instead i found |.htaccess| file.

I'm not very familiar about htaccess much. Can you please help me
how did htaccess directed to |shtml.exe|.
*
mike w
It it possible to *redirect a page when the url has spaces* ie.
|example.com/htaccess file.html| ?
htaccess redirect
Now this is a detailed guide on *redirecting with the htaccess
file*... excellent!
Wetter
*Nice .htaccess article.* It was very helpful for me.
Paul
Our website has been illegally copied by a Chinese website, and as a
result, when you type in our company name in Google, their illegal
website shows up on the first spot but with a 100% copy of our content.
What is a good way to block this Chinese website from our content?
Can we use htaccess files to do this?
allQoo
It is the *most comprehensive htaccess info page I ever read*. Rich
with lots of examples. Thumbs UP!
http://amuleineve.net Manasi
I am unsure if I am doing somethign wrong. I am hosted with Godaddy
but when the checking script runs it displays some errors and I am
unsure as to how to resolve them:
*Error 1*
.htaccess Capabilities
.htaccess files allowed [200] errors out and gives me:
HTTP/1.1 500 Internal Server Error
Date: Wed, 19 Nov 2008 15:59:46 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1
The others items in this list also turn yellow ( not red like the
first one but also give the same error )
*Second Error:*
HTTP Digest Authentication
Bummer... you don't have digest capabilities.
Is this critically needed?
*Third error:*
Basic
Basic
Basic
Basic
Authentication
Authentication
Authentication
Authentication
Encryption Algorithms
Attempt using Crypt Encryption
Attempt using MD5 Encryption
Attempt using SHA1 Encryption
all three same error as above:

HTTP/1.1 500 Internal Server Error
Date: Wed, 19 Nov 2008 15:59:46 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1
What am I missing?
*
Case Stevens
Hi, Great htaccess tutorial, learned a lot, but like Emi, I want to
redirect an affiliate link like
|site1.com/x.php?action=alink&id=15&link=3 |to
|site2.com/newproduct/| Is this possible using a rewrite rule?
Thanks for any advice
JAiro Gelvez
Exelente tutorial, he resuelt un complejo problema de cache gracias
a las infinitas alternativas de los .htaccess, en particular gracias
al mod_rewrite del apache y en ello este blog me ha sido de
muchisima ayuda. Gracias a todos
Great tutorial, I have solved a complex problem because of the
infinite cache of alternatives. Htaccess, particularly thanks to
the Apache mod_rewrite and so this blog I have been extremely
helpful. Thanks to all
kay
Hello,
Any idea about what can be wrong with a Drupal .htaccess file that
make it impossible to use my own error.php file on Dreamhost PS?
Dreamhost replied me that it must be because of the .htaccess file
but that's all.
Thanks a lot!
chaithu
Hi,
It's a very nice tutorial, but i have got a problem with apache
authentication modules. I have written an apache authentication
module and given the authentication type as basic. But, whenever a
GET request is coming, my authentication module is being invoked and
for each GET request, authentication is happening. But i wnt it to
be authenticated only once. how can i solve this problem and is
there any relation of this problem with .htaccess file
Conor
Hi thanks for the great info on creating a .htaccess file.
I just wanted to know, is it possible to use deny from all and at
the same time allow php from the same server to write to the directory?
Thanks
Naysweb
Hi, I hope you can help me, I would like for anyone who types site
(also have subdomain) without the "WWW" for it to add it. I really
hope you can help, I tried before but it went in a big rewrite
loop.. added lots of WWW's. Thanks
geo
Great htaccess things here askapache, keep up the Good Job ;)
Thank you
nowal
I am having problem on my WP blog and it has something to do with
the *htaccess*. I installed the plugin but was not able to figure
out the problem. The site was working fine but recently I am getting
tons of
page not found
As |?p=xx| is being added at the end of existing URL's. It has
something to do with |permalink|? URL Rewrite? Any hint as I am
clueless at the moment, will appreciate!
macc
Fantastic site! Thanks! Still as a newbee I need some help... I
would much appreciate if you could help me (eager to donate...) Here
is my .htaccess code:
RewriteEngine On
RewriteRule îndex.html$ index.php
RewriteRule ^browse-(.*)-videos.html$ category.php?cat=$1
RewriteRule
=$2&sortby=$3
RewriteRule
RewriteRule
RewriteRule
RewriteRule
RewriteRule
RewriteRule
RewriteRule
RewriteRule
^browse-(.*)-videos-([0-9]+)-(.*).html$ category.php?cat=$1&page
^favorites.html(.*)$ favorites.php$1
^favorites.html(.*)$ favorites.php$1
^playlist/(.*)$ myfavorites.php?u=$1
^memberlist.html(.*)$ memberlist.php$1
^tags/([^/]+)/$ tag.php?t=$1&page=1
^tags/([^/]+)/page-([0-9]+)(/)?$ tag.php?t=$1&page=$2
^(.*)/(.*)-video_(.*).html$ musicvideo.php?vid=$3
^rss.xml$ rss.php [L]
I want to have *wild-subdomains* (yes I have /root access/!). I want

the user's site to looks like |http://user.domain.com| (yes I have
root access to my server! and I have already installed
wild-subdomains for my other site)
Best Regards,
Macc
*
Krit
Hi, I have non-www to www redirect code as follows :
RewriteEngine On
##non-www to www
RewriteCond %{HTTP_HOST} !^(www.example.com)?$
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
This works fine and redirects all non-www version of the url to its
corresponding www version. However when I have a
|https://www.example.com/mypage.asp|, it redirects the same to
|http://www.example.com/mypage.asp|. How can I prevent urls
beginning with https to be skipped by this re-write rule.
Tom Mc Carrick
Hi Dave
I found your site when I was researching a problem I have with
broken permalinks on my blog. The article on .htaccess is excellent.
Basically, some of my backlinks are pointing to posts and have the
format "postname.html" and they are giving "not found" errors. I
would like the requests for the .html links to be redirected to the
"clean" permalinks I am now using (i.e. "postname"). Could you
please explain how I can do this through .htaccess?
Thanks
Tom
Arvind
Thanks for the best tutorial all in one. that's great. I have
problem with two |.htaccess |
If there are two different |.htaccess| file in two different
directory, one that exists on root folder and other one exists in
sub directory called htaccesssearch.
I want to redirect website from non-www to www with 301 and I have
added code root |.htaccess| file as following
RewriteEngine on
Options +FollowSymlinks
Rewritecond %{http_host} ^baghel.in
Rewriterule ^(.*)$ http://www.baghel.in/$1 [r=301,nc]
This is working fine but if we access the |/htaccesssearch/abc.html|
it is not redirect to |/htaccesssearch/abc.html| because there is
another |.htaccess| in the htaccesssearch folder .
if we add the above code another .htaccess which is exist in
htaccesssearch then whole site is not working .
Please suggest me what should I do !
Thanks in advance
*
off1
Thank you man, I'm looking forward to implement all this to improve
my server's security
Rob
I'm having the same problem as Manasi. I don't know enough to know
what the
*.htaccess files allowed [200]*
error means or what to do about it. Either
my hosting provider to fix, fix myself, or
into including the feature. But if I don't
ask. Tried finding this on Google, this is
it's something I can get

bug my hosting provider
know what to ask, I can't
the page I got.
Thanks in advance for any help,

Rob
*
Joe Schmoe
*How Do I Make a Htaccess File?* You talked about how Creating a
Htaccess File, (without Htaccess Software) would work in Windows
Explorer.. But what program do you use?
I love your Examples of Htaccess Files, this is the best Htaccess
Tutorial, Htaccess Example, and resource IVe managed to find.
http://www.codepromo.com Monsieur Code Promo

Great idea... however got disapointed by the only example I tried
(protecting whole wp-admin folder except for static files). Till
now, I used to password protect whole wp-admin, which lead to some
bad displays when a css from WP-admin is required (which is stupid,
I thing)
Tried the example to protect whole wp-admin folder but the result in
not as expected (still can't access any CSS file behind /wp-admin/
and authentification not working at all).
Thus, I'm assuming that either ruleset is incorrect, or that there
are some server specific stuff to take care off.
Thanks anyway for this unique guide.
Rgds
*
rif
A wonderful htaccess guide and very distinct
Larry Asuncion
How to cloak a domain redirected to a folder from another hosting
using .htaccess?
Scott C
Great job putting this together, thank you. You solved all my questions.
tim
Awesome guide. I will point our users to this :)
Sortins Technologies
Thank you for share a great and useful resource.
Rob Scott
Very good, comprehensive guide to .htaccess!
Fiona Tighe
Hi there,
Great article.. however I have a question, which I hope you don't
mind me asking.
I have built a web application and I have built a marketing site.
The app is built on the |.com| while the marketing is currently on
the |.ie|.
Anyhow, if somebody types |domain.com| I wish to redirect them to
|domain.ie|
Once on the |.ie|, a button brings them to |domain.com/login|.
So I don't wish to redirect everything...
I have attempted the following

Redirect /index.php http://www.domain.ie/index.php
However, unfortunately when you click on the button, it has changed
to |domain.ie/login| which does not exist....
Any help would be much appreciated.
Regards and thanks,
Fiona
*
Mia
Your site is absolutely great! I have been working on this for a
week and I finally understand this. I do not have a directory index
and I haven't figured out quite how to do this yet. My webhosting
site is Linux based so the code has to be either in Perl or Python.
I can access the .htaccess files but I can get past the first step
of creating the path.
Please help.
Mia
Andy
I realize this might be an older post, but I need some serious help.
I have Wordpress MU installed in my root directory and Moodle
installed in a subdirectory. These are interfering with each other.
I'm getting Internal Server Errors in the Moodle install. I'm pretty
sure it can be fixed with some .htaccess scripting. There is not a
.htaccess file in the Moodle directory. I copied the .htaccess from
the root directory over to the Moodle directory, but it didn't do
anything. Here's what's in the root directory. Is it possible the
php.ini is causing the errors?
# Use PHP5 as default
AddHandler application/x-httpd-php5s .php
RewriteEngine On
RewriteBase /
#uploaded files
RewriteRule ^(.*/)?files/$ index.php [L]
RewriteCond %{REQUEST_URI} !.*wp-content/plugins.*
RewriteRule ^(.*/)?files/(.*) wp-content/blogs.php?file=$2 [L]
# add a trailing slash to /wp-admin
RewriteCond %{REQUEST_URI} ^.*/wp-admin$
RewriteRule ^(.+)$ $1/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L]

RewriteRule ^([_0-9a-zA-Z-]+/)?(.*.php)$ $2 [L]
RewriteRule . index.php [L]
SecFilterEngine Off
SecFilterScanPOST Off
*
Sam Lavoie
I always found myself getting back to this .htaccess tutorial and
guide. Definitly the best and most complete one!
Sushant
This a really informative post. Directory Protection with .htaccess
files was all that i wanted.
Thank You
jay
help!
i can rewrite URLs just fine, but none of the images/css/js works
anymore!
i just get a plain-html view of the new target page
here is the .htaccess:
RewriteEngine On
RewriteBase /
RewriteRule ^somedirectory/page17 /index.php?id=17
Martin Shortpants
Probably not the best place to ask this, but don't where else.
Is there an htaccess comand(s) that would take ever call to any
occurrence of |wp-contentthemes| and make it read from |allthemes|
The idea is to get several wp installs on same server to use common
directories for their themes and plugins.
I have no success with |ln -s symlinks| but htaccess rewrites all
seem fine.
(p.s. my odd email addie is legit)
Jey Jey
Great resource, Thanks for sharing this great knowledge
Bernhard
Very nice tutorial.

Just one note:
Since Apache *2.0.49* it's possible to use wildcards for the mime
type in |ExpiresByType|, see (search for PR#7991
<http://www.apache.org/dist/httpd/CHANGES_2.0>).
I tested it with Apache *2.2.9* and it works fine.
In my |.htaccess| I set the expiration time for all images with:
ExpiresByType image/* A2592000
*
Henry
Hi,
Great page, but in your /full |.htaccess| directives list/ you have
included the following:
o |Directory|
o |Location|
o |ErrorLog|
I have found that in Apache 2.2 these directives are not allowed.
Ben
This may seem like a very strange request, but i have know idea
where to start in writing my htaccess file.
When i installed my version of WP about 3 months ago, i was unable
to find my htaccess file, and i have looked many time and never
found it. Came to the conclusion that their wasnt one. Did i have to
write one myself?
Could you suggest some sites that give descriptions and code on how
to effectively write a good secure htaccess file.
I will continue to read through ur site which will def. give me some
ideas
Ben
Jun
Thank you very much for a very detailed guide. It's the best I've
found and one that gave me what I've been searching for.
http://shrfirstresponders.ca Darcy Parker

Quick question - I have a hosted website (hosted at godaddy.com)
with a static IP.
I am using a CMS called Moodle to deliver training videos to users
logged into the Moodle
I am not storing the videos in the moodledata directory becasue they
are too large for the backups performed in the data directoy so I am
storing them in a subdirectoy of the html directory
How can I use .htaccess to only allow the videos to be retrieved by
the php scripts that call them. Would limit get work? If I use Limit
get to the ip of the local machine (localhost and/or static) will
the Moodle PHP scripts stioll be able to pull them?
Will a limit get prevent me from accessing the directory via ftp or
sftp or ssh?
html - videodir
- moodle - moodledata - topics - topic1
-topic 2
Thanx
*
misterfry
Thanks for all the info! I do have one question, say I want to use
the directive for protecting wp-config.php which would be this:
# protect wpconfig.php
order allow,deny
deny from all
Would that go before "|# BEGIN WordPress|", after "|# END
WordPress|", or in between them? Would the same apply to other
directives like this:
# secure htaccess file
order allow,deny
deny from all
Any help is greatly appreciated!
Val
I am trying to redirect a URL like the following to the home page:
http://www.site.com/?state=ma
to
http://www.site.com/
Is this possible with htaccess. It is important because google
thinks I have multiple copies of the same page, because right now
both of these pages display the home page, but I need the URL to
redirect to the index so there is no duplicate.
Any help is greatly appreciated.
webeno
Sometimes you just need to do the changes somewhere else than on
.htaccess, like when I tried to setup a subdomain, i read the above
documentation but couldn't find what I was looking for.
Akhilraj
*rewrite the url and hide extension*
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteRule ^([^.]+)$ $1.php [NC,L]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} /(.*).php HTTP/ [NC]
RewriteRule .+ http://site.com/%1 [R=301,QSA]
http://www.choosev.com/elbiler Bredbnd
Wow, this i such great info. thank you so much!
/Jack
cyrus
Hi
Any one has a Htaccess code that tell the server to treat the |.php|
files as |.php5| ( this is what my serve apparently recognise!)
Regards
Ashok
Is it possible to generate Custom ETag header so that the HTTPD
sends the ETag in reply with the value we set.
I tried this:
[Root @ /var/www/html ] cat .htaccess
FileETag None
Header unset ETag
Header set ETag "ABCDEFGhijk1234=="
But it didn't work :(
Someone pls help me how to send this Custom ETag header to the
client request.
http://CAFR1.com/Court/ WB
I am trying to find the right script for use in my .htaccess file to
have my file download directory pages list on the page the
Directories *first *and the files next. Right now they are all mixed
together.
The script in the .htaccess file now is:
Options +Indexes +MultiViews +FollowSymlinks
Kyle
Hi,
I'm trying to understand exactly what is going on with:
RewriteEngine on
RewriteRule
^$
RewriteRule
(.*)
site/webroot/
site/webroot/$1
[L]
[QSA,L]
Could someone help me understand? I've created a forum inside the

main directory and with the .htaccess file in place, it does not
direct me to the forum but gives me an error. Once I remove the
.htaccess file above I can access the forum. Any help is appreciated!
*
Gilang
Hi, I am curious if there is clue using
a website that the same content by what
pasting? Let say similar like rejecting
htaccess with hotlink. does anyone know
htaccess for rejecting/deny

people have done copy
the image,gif,png by using
for web content? thanks a lots.
gwmbox
Excellent resource.
For caching is it best to only use one of the caching options or
both? as in do I add caching like
### HEADER CACHING
Header unset Last-Modified
SetOutputFilter DEFLATE
Header set Cache-Control "max-age=600, must-revalidate"
Header unset Cache-Control
as well as
ExpiresActive
ExpiresByType
ExpiresByType
ExpiresByType
ExpiresByType
ExpiresByType
ExpiresByType
ExpiresActive
On
image/gif "access plus 1 year"
image/jpeg "access plus 1 year"
image/png "access plus 1 year"
text/css "access plus 1 year"
text/javascript "access plus 1 year"
application/x-javascript "access plus 1 year"
Off
Or only use one of them? If so which one?

Thanks
GW
*
http://www.q-ballahmar.com/vb aowd25
That's perfect summary, very valuable for my next job of doing SEO
friendly urls through htaccess. Thank you
welson elias
Pessoal, a muito tempo eu venho tentando descobrir como encontrar
algum plugin ou algum script que eu escondo os diterrio wp-admin e
wp-content quando um usurio exibe o cdigo de fonte, ou seja, ele
j vai saber que o site feito no wordpress, ento pedindo ajuda
aqui eu gostaria de saber como fazer isso, quer um exemplo acesse
esse site: http://concursosnobrasil.com.br/
tente exibir o cdigo de fonte, como vcs podem perceber no mostra
os caminhos dos diretrios wp-admin e wp-content, se algum puder me
ajudar eu ficar grato por isso, obrigado!!!!
http://www.1stcustomsoftware.com Mark
Can I start out by saying your site is AWESOME!
Got a question? You mentioned "If even 1/10 of the sites on a
server-farm took advantage of what they are paying for, the
providers would go out of business." - can you elaborate on what
type of settings need to be changed to take enable more resources on
shared hosting?
Would same thing apply to VPS accounts too?
Thank you!!
Prasanna
Can we use something like this to disable http auth for a sub-directory?
Satisfy Any
AllowOverride All
samdix
I have a problem with my site, recently I moved to vps server, from
hostgator, I have many 404 errors in Google Webmaster Tools, about
13,000 of them. the 404's are because they were created by WP with :
|category| or |/page #|, or tags. not the post name which is my
permalink structure. The site has lots of content, (news site). The
other problem is: 302 redirects found in my AWstats: maybe this was
because of the move. But I wish to get the 404's fixed, any idea of
which ht access to use? Do you provide service for this? if I cannot
do it? thanks very much, need some help.
http://hn.k12.oh.us ajcke
I have the same problem as samdix. Any solutions?
"404's are because pages were created by WP with : category or /page
#, or tags. not the post name which is my permalink structure"
Sam
Bump, again is there a solution for this problem I posted? Also does
the built in short link in the post admin area have any value, or
can we disable it somehow, I want my posts only to show the postname
...? Help, anyone? thanks. Sam.
*
Sop
This is incredible, you have answered everything I needed to know!!
Extremely grateful
wel
Hi Sir,
Really appreciated this your post. A true manifestation of a what a
computer scientist is. Hard work.
Cheers.
http://none mleenen
I have a .htaccess with the following 3 lines:
Deny from all
ErrorDocument 404 "404 means not found."
ErrorDocument 403 "403 means forbidden."
This should block all access to any page. Right?
When I use: http://localhost/index.php, my own 403 is returned.
However, when I use http://localhost/index.php the 'standard' error
document is returned.
How can I make sure that in all cases, my own customized 403 is
returned?
http://www.klobirne.com/ klobirne
I'm extremely impressed with your writing skills as well as with the
layout on your weblog. Is this a paid theme or did you customize it
yourself? Either way keep up the excellent quality writing, it's
rare to see a nice blog like this one today.
https://www.tagmydoc.com/dl/64g8w/9nY Bridgette
Nice blog here! Also your site loads up fast! What web host are you
using?
Can I get your affiliate link to your host? I wish my site loaded up
as quickly as yours lol
Noah
This is a fantastic resource. Thank you for all of the work you've
put into compiling this cache of information. Most people overlook

the protection and increase in usability some (comparatively) simple
server rules have to offer.
Puns intended, you're the man.
*
http://URL Sholac
Hello I just find this website very useful! Thanks!
After I had problems with attacks htaccess resolve my problems. I
still got attacks but they are blocked.
I put some things to my htaccess file of my wordpress website.
Can you look over it and tell me is it good, so I can add it to all
my websites.
Here is code from htaccess
----------------------------------------------------------------------------------------------------------------------------# STRONG HTACCESS PROTECTION

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule îndex.php$
[L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
RewriteCond
RewriteCond
RewriteCond
RewriteRule
%{QUERY_STRING} (|%3E) [NC,OR]

%{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
%{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
^(.*)$ index.php [F,L]
# directory browsing
Options All -Indexes
# QUERY STRING EXPLOITS
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)|| | |;|?|*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).*
[NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).*
[NC]
RewriteRule ^(.*)$ [F,L]
-------------------------------------------------------------------------------------------------------------------------------------------------------------------Thanks, I really appreciate your help here!

Sholac
*
http://www.contrastchecker.com Peter Drinnan

Awesome tutorials! Saved me hours. Thank you!
Cam
I was recommended this web site by a friend.
I am not sure whether this post is written by him as no one else know
such detailed about my difficulty. You are amazing!
Thanks!
http://www.facebook.com/people/Abimo-Corde/1488081197 Abimo Corde

Superb! Thanks
Antonio Mineiro
Superb! Thanks
Casey Dwayne
Awesome article. Thanks for the great resource.
Casey Dwayne
Awesome article. Thanks for the great resource.
Kitty Halper
I'd like to have .htaccess look in a couple places for an image
before throwing an "image missing" image if it can't find it in
either place. Specifically...
if a request comes in for /images/**/*.png look there first
if that doesn't exist, look for /images/**/old/*.png
if neither exists, use /images/**/missing.png
I found the following code, but don t understand enough about it to
be able to rewrite it to suit the above needs.
# If requested resource exists as a file or directory, skip
next two rules
RewriteCond %{DOCUMENT_ROOT}/$1 -f [OR]
RewriteCond %{DOCUMENT_ROOT}/$1 -d
RewriteRule (.*) - [S=2]

#
# Requested resource does not exist, do rewrite if it exists
in /archive
RewriteCond %{DOCUMENT_ROOT}/archive/$1 -f [OR]
RewriteCond %{DOCUMENT_ROOT}/archive/$1 -d
RewriteRule (.*) /archive/$1 [L]
#
# Else rewrite requests for non-existent resources to
/index.php
RewriteRule
(.*) /index.php?q=$1 [L]
*
http://new-web-domains.com/ Web Domains

This is THE MOST AMAZING PAGE I have EVER come across regarding the
topic. Just beautiful !!!
http://www.frenchspanishonline.com/ Learn French for free

hi, I tried to return an alternate content with png file, it does
not work for me. I also blocked hotlinking from any browsers except
Firefox, this browser does not block my mp3 files for being accessed.
http://www.frenchspanishonline.com/ Learn French for free

Using the stop hotlinking code, Images and swf files are blocked but
not mp3 files that are still accessible from an external website
John
Great site! i have a question. I have a site with multiple, dated
.pdf files, with the filedate in the title of the URL, but googlebot
is having trouble assigning the correct date to some of those files.
I would like the date to be correct as I have Google site search in
place and would like the PDF files sorted properly when querying by
date. I thought one way of informing googlebot about the file las
modified date would be to serve this via httpd. Then googlebot would
better know the proper file creation date. Is there a way to do this
with .htaccess? Thanks. John
o
Hmm. As is the case almost always, yeah you can do this with
Htaccess, but this is a bit tricky. I would use a RewriteRule on
.pdf files and use a RewriteCond on it with sub patterns in the
reflex to capture the date from the file name and then set an
environment variable in the flags of that RewriteRule to contain
the validly formatted date. Then I would use a Header directive
below the rewrite to send the Last-Modified header with the
value being the environment variable.
But honestly if it were me I would use the Linux touch command
to physically set the last-modified date of

you want shown, then the date would show up
but if not, due to google being able to see
metadata present in PDF files, then I would
*
each PDF to the date

correctly in google,
the internal
modify the PDF meta.
hasdeep
Hi, can you help me. I have a webpage by the name of |page.php?id=7|
and multiple dynamic links. I have written the following code in
htaccess file:
RewriteCond
RewriteCond
RewriteRule
RewriteRule
%{THE_REQUEST} ?
%{QUERY_STRING} id=([0-9]+)
^$ /page.php%1? [R=301,L]
^([0-9]+)$ page.php?id=$1 [L]
Now, the problem is |example.com/page.php?id=1| and |example.com/1|

both links are opening. I am not able to redirect automatically
|example.com/page.php?id=1| to |example.com/1|
*
http://www.exploseo.fr Romain JEHAN

Hi,
This is an amazing article, I want to translate it on my french seo
blog : http://www.exploseo.fr/
Do I have your permission ?
Best regards,
Romain
Paid themes suck.
Wolf
Hi, can you help me. I have a webpage with this link, example
|https://site.com/news?start=5|, i want to redirect this page if
user add characters or something to the original url, example
Original URL: |https://site.com/news?start=5|
Modified: |https://site.com/news?start=5??%22/%3E%3Ca%20href=%|
i want to redirect to the original webpage if they put that
character to the final line of the original url, all character after
start=(0-9) how can i do that with htaccess?
o
See above article.
Norm D Stokes
This is by far one of the best pages I have seen, very educational
but I am still suffering from a weird problem that maybe someone can
help me with. I have a very basic website and use very simple php
include statements on my website to do my menu and footer. Very
simple works very well, but, I am now seeing google reporting
strange things like duplicate pages with duplicate meta descriptions
such as:
/x/p/A-F-M.html/A-1-2.html
/x/p/A-F-M.html/B-1-2.html
/x/p/A-F-M.html/C-1-2.html
/x/p/A-F-M.html/D-1-2.htm
/x/p/A-F-M.html/E-1-2.html
/x/p/A-F-M.html/F-1.html
/x/p/A-F-M.html/G-1.html
By looking at this you can see that these are NOT "valid" URL's they
are two URL's in one. I can go to any page ending in .htm or .html
and add "/test" press my return and I will stay on the say page get
a 200 ok response and see the"/test" added to to the URL. What I
would expect is a 404 Error page to come up as it is a non valid page.
In testing I discovered that is I remove
|AddHandler application/x-httpd-php5 .php .html .htm .shtml|
from my .htacess I do get the correct 404 error BUT I lose all menus
and footers. I am not a php kind of guy and this is a simple site,
can anyone tell me what needs to be changed to fix this.
Again this is a great page, thanks for the hard work
o
Just do a simple redirect match like dis:
RedirectMatch 301 ^([^.]+.html?).+$ $1
http://manggale.com Hidayat Mundana

After I test my website in gtmetrix kenerja, then YSlow for "Add
Expires headers" has a value of F (0).
Incidentally, I use w3 total cache plugin
please enlightenment (I'm still early for this optimization)
http://seo.qalebfa.ir/
Goooooooooooooood Post
every thing about htaccess
thanks
http://usbinaryoptionsinfo.com John Manderson

I was prepared to "diss" on this post as unrelated to what I was
actually looking for. Which is true, but that's more google's fault.
Anyway, I started reading anyway and I must say I ended up finding
out quite a bit of previously unknown important stuff about the
.htaccess file. Thanks.

Cheers!
MM
o
Thanks for saying so!
Of course! Per my copyright anything on this site can be
republished, modified, sold, anything goes as long as you include a
link back to the original.
http://www.themesrefinery.com/ Themesrefinery
Really such a nice info.Thanks for this.
David Cunningham
Newbie: I am using web host's password protection (creates htaccess
for web folder/new directory on web server). Our company creates
inspection reports for the big oil companies storage tanks. We want
to allow each company to access their reports online. I can password
protect the directory for each company but I notice that if they
close web page or the web browser or hit back button to the initial
page in their directory it keeps the credentials. How do I force
them to always have to use their credentials when they access their
directory?
http://princetonweb.org//Neighbors/pmwiki.php?n=UnitedStates.UnitedStates?se
tskin=?setcolor=US
jagtig
I suspect that the htaccess script stopping hotlinking
my server's Apache module. They slow my site down, and
feature on one occasion. Who polices the Apache module
server-side? The hot-linking script would be the chief
targeted like that, for reasons that you may see.
*
are hacked in
have broken a
once it's
htaccess code
http://www.google.com DevilWearsPrada
hey all ,
wonder if someone can help with some urgent matter :(
Need to do this
IP matches X on SITE A gets redirected to SITE B
IP matches Y on SITE B gets redirected to SITE A
is it possible ?
i thought i had it but then it tells me the site has a redirect loop
thanx guys
*
Guest
Wow, what a definitive guide! I wonder if anyone could advice me on
a code to use for a site.
If people use https they will be forwarded to the log-in page of a
members-only Joomla site in a sub-directory of the same domain.
Everone else (unsecrured) gets sent to another URL on another domain.
Karl Andersson
Wow, what a definitive guide! I wonder if anyone could advice me on
a code to use for a non-profit site.
If people use https they will be forwarded to the log-in page of a
members-only Joomla site in a sub-directory of the same domain.
Everyone else (unsecured) gets sent to another URL on another domain.
jorge soares
Hi !
My .htaccess is working
Only one but...
I Prevent hotlinking of
local develops the site
There is some .htaccess
like a charm.
images, and I can't see those images when I
with my PhpDesigner.
directive in order to achieve this goal?
thanx guys
*
http://sitedesign.joomir.com/ Ahmad Balavipour

Thanks alot about this article, where can i find tutorial on master
htaccess for joomla?
waveleh
Please ignore this query, I will found appropriate page of AA WP
plugin. Sorry for wrong posting.
--Very brilliant plugin!
I have two problems though:
1. Captcha stopped working
2. Mobile version of the theme is not working
Thanks
-----------------------------------------------------------------------Related Articles
* Using TIME_HOUR and TIME_MIN for htaccess RewriteCond

<http://www.askapache.com/htaccess/using-time_hour-and-time_min-rewritecondin-htaccess-2.html>
* Speed Up Sites with htaccess Caching
<http://www.askapache.com/htaccess/speed-up-sites-with-htaccess-caching.html
>
* Commonly Used htaccess Code
<http://www.askapache.com/htaccess/commonly-used-htaccess-code-examples.html
>
<http://www.gnu.org/philosophy/free-sw.html>
-----------------------------------------------------------------------My Online Tools
* *Base64 Image Converter*
<http://www.askapache.com/online-tools/base64-image-converter/>
* Boss HTTP Debugger
<http://www.askapache.com/online-tools/http-headers-tool/>
* Quick CSS Compressor
<http://www.askapache.com/online-tools/compress-css/>
* Whoami - Your Info <http://www.askapache.com/online-tools/whoami/>
Popular Articles
* THE Ultimate Htaccess
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html>
* Mod_Rewrite Tips and Tricks
<http://www.askapache.com/htaccess/modrewrite-tips-tricks.html>
* Crazy Advanced Mod_Rewrite
<http://www.askapache.com/htaccess/crazy-advanced-mod_rewrite-tutorial.html>
* THE Mod_Rewrite Cheatsheet
<http://www.askapache.com/htaccess/mod_rewrite-variables-cheatsheet.html>
<http://www.askapache.com/feed/>
----------------------------------------------------------------------------------------------------------------------------------------------In the 70s, computer users lost the freedoms to redistribute and
change software because they didn't value their freedom. Computer
users regained these freedoms in the 80s and 90s because a group of
idealists, the GNU Project, believed that freedom is what makes a
program better, and were willing to work for what we believed in.
-- Richard M. Stallman
<http://www.gnu.org/philosophy/linux-gnu-freedom.html>
-----------------------------------------------------------------------Hacking and Hackers
The use of "hacker" to mean "security breaker" is a confusion on the
part of the mass media. We hackers refuse to recognize that meaning,
and continue using the word to mean someone who loves to program,
someone who enjoys playful cleverness, or the combination of the
two. See my article, On Hacking
<http://stallman.org/articles/on-hacking.html>.
-- Richard M. Stallman
<http://www.gnu.org/philosophy/linux-gnu-freedom.html>
----------------------------------------------------------------------------------------------------------------------------------------------Twitter
<http://twitter.com/askapache>
-----------------------------------------------------------------------* @askapache Nov 14
<https://twitter.com/askapache/status/533296675264409600>
t.co/A9j4tjBS89 <https://t.co/A9j4tjBS89>
* @askapache Nov 9
<https://twitter.com/askapache/status/531269409751318528>I asked a
bad coder, are u ignorant, or are u apathetic? He said, I don't
know, and I don't care.
* @askapache Nov 8
<https://twitter.com/askapache/status/530936583050895362>A hacker
only laughs at generous bribes. There is no exit.
* @askapache Nov 8
<https://twitter.com/askapache/status/530922550390300672>Pain and
Growth go hand-in-hand. Or take the easy way, use the shortcut, the
choice is yours.
* @askapache Nov 8
<https://twitter.com/askapache/status/530910480219774976>Endure the
pain, dig deep. Take the lead in front of everyone.
* @askapache Nov 2
<https://twitter.com/askapache/status/528932719787401216>So stoked
for the Movie Blackhat
* <http://pbs.twimg.com/media/B1Y9q_8CcAEpDoZ.jpg>Grand Central
Payfone, New York City t.co/oREBPBr9DJ <http://t.co/oREBPBr9DJ>
* <http://pbs.twimg.com/media/B1T55AsIcAEWwID.jpg>Grand Central. Where
Payphones are Fones. t.co/eMZrorOpVh <http://t.co/eMZrorOpVh>
* <http://pbs.twimg.com/media/B0gCGdjCIAEdASU.jpg>broke the rec for
fastest imports of WP xml export files. 2k imports/min, and not even
parallel. Also me tmux :) t.co/nlPe3UX8OL <http://t.co/nlPe3UX8OL>
* <http://pbs.twimg.com/media/BztttXpCcAAHekQ.jpg>Crypto, by Steven
Levy. An almost prescient read. t.co/stq9h8li7K
<http://t.co/stq9h8li7K>
* <http://pbs.twimg.com/media/Bzn3azGCEAAfbK4.jpg>How Google Works
t.co/tCvZDnRYki <http://t.co/tCvZDnRYki>
* <http://pbs.twimg.com/media/BywouShCQAACuvS.jpg>New wireless gear:
Nighthawk dd-wrt router, bluetooth & high-gain wifi USB adapters.
Adapters from @PwnieExpress t.co/yIfn0WfYxI <http://t.co/yIfn0WfYxI>
* <http://pbs.twimg.com/media/ByelwRvCQAI1bAa.jpg>Got me a pwn plug
from defcon t.co/Zo4XXcCFdj <http://t.co/Zo4XXcCFdj>
* <http://pbs.twimg.com/media/BxboWzaCIAAHsvZ.jpg>The Computers Boys
Take Over - t.co/fvQZiBgWSU <http://t.co/fvQZiBgWSU>
t.co/tr0yxBisW8 <http://t.co/tr0yxBisW8>
* <http://pbs.twimg.com/media/BxXZ6Q1CQAAL3e8.jpg>'10 Multiplex
t.co/Ons3wRPavj <http://t.co/Ons3wRPavj> t.co/d7lc0T93HS
<http://t.co/d7lc0T93HS>
* <http://pbs.twimg.com/media/BwxnFnFCUAAUDzl.jpg>Elite Log File
Scrolling with Color Syntax t.co/5EDSwAkGdC
<https://t.co/5EDSwAkGdC>
t.co/6YiMMUqQxC <http://t.co/6YiMMUqQxC>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<http://www.fsf.org/register_form?referrer=7511>
-----------------------------------------------------------------------* AskApache <http://www.askapache.com/>
o Contact <http://www.askapache.com/about/contact/>
o About <http://www.askapache.com/about/>
o Site Map <http://www.askapache.com/about/site-map/>
o Htaccess Search <http://www.askapache.com/cse/>
o WireShark <http://wireshark.askapache.com/>
o GNU <http://gnu.askapache.com/>
o Non-GNU <http://nongnu.askapache.com/>
o Tor Project <http://tor.askapache.com/>
o TLDP - Documentation <http://tldp.askapache.com/>
o PUBLIC <http://www.askapache.com/pub/>
* Site Map <http://www.askapache.com/about/site-map/>
o CSS <http://www.askapache.com/category/css/>
o Google <http://www.askapache.com/category/google/>
o Hacking <http://www.askapache.com/category/hacking/>
o Htaccess <http://www.askapache.com/category/htaccess/>
o Javascript <http://www.askapache.com/category/javascript/>
o Linux <http://www.askapache.com/category/linux/>
o Optimization <http://www.askapache.com/category/optimize/>
o PHP <http://www.askapache.com/category/php/>
o Security <http://www.askapache.com/category/security/>
o SEO <http://www.askapache.com/category/seo/>
o Shell Scripting <http://www.askapache.com/category/shellscript/>
o WordPress <http://www.askapache.com/category/wordpress/>
* Online Tools <http://www.askapache.com/online-tools/>
o Raw HTTP Header Debugger
<http://www.askapache.com/online-tools/http-headers-tool/>
o Graphical ASCII Text Generator
<http://www.askapache.com/online-tools/figlet-ascii/>
o .htpasswd file Generator
<http://www.askapache.com/online-tools/htpasswd-generator/>
o Who Am I
Your IP Information
<http://www.askapache.com/online-tools/whoami/>
o Base64 Image Converter
<http://www.askapache.com/online-tools/base64-image-converter/>
o JavaScript Source Code Beautifier
<http://www.askapache.com/online-tools/javascript-beauty/>
o Compress CSS <http://www.askapache.com/online-tools/compress-css/>
o Mac Address Vendor Lookup
<http://www.askapache.com/online-tools/mac-lookup/>
o DNS Tracer <http://www.askapache.com/online-tools/dns-trace/>
o Request Method Security Scanner
<http://www.askapache.com/online-tools/request-method-scanner/>
o P3P Privacy File Generator
<http://www.askapache.com/online-tools/p3p-privacy-generator/>
o Flash crossdomain.xml Generator
<http://www.askapache.com/online-tools/flash-crossdomain-xml/>
Search
7ads6x98y
[hide]
It's very simple - you read the protocol and write the code. -Bill Joy
RSS
<http://feedvalidator.org/check.cgi?url=http://www.askapache.com/feed/>
| XHTML 1.1
<http://validator.w3.org/check/referer?ss=1;outline=1;sp=1;debug> | CSS
2.1 <http://jigsaw.w3.org/css-validator/check/referer?warning=0>
Except where otherwise noted, content on this site is licensed under a
Creative Commons Attribution 3.0 License
<http://creativecommons.org/licenses/by/3.0/>, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation
(ASF). All software and documentation produced by The ASF is licensed.
"Apache" is a trademark of The ASF. NCSA HTTPd
<http://hoohoo.ncsa.illinois.edu/>.
UNIX is a registered Trademark of The Open Group
<http://www.opengroup.org/>. POSIX is a registered Trademark of The
IEEE <http://standards.ieee.org/>.
+Askapache <https://plus.google.com/+Askapache> | askapache
<http://profiles.wordpress.org/askapache>
Site Map <http://www.askapache.com/about/site-map/> | Contact Webmaster
<http://www.askapache.com/about/contact/> | License and Disclaimer
<http://www.askapache.com/about/disclaimer-and-license/> | Terms of
Service <http://www.askapache.com/about/statements/>
TOP
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#logo>Main
<file:///tmp/maftemp-8ee24daf/1417061869000_504/index.html#ContentW><http://www.
quantcast.com/p-5e44cjdXWaqOA><http://www.alexa.com/data/details/main/www.askapa
che.com>

Htaccess - The Ultimate .Htaccess

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Htaccess - The Ultimate .Htaccess

Uploaded by

Copyright:

Available Formats

AskApache Web Development <http://www.askapache.

com/>FREE THOUGHT FREE

* Htaccess File Syntax

16. 301 Redirect Entire Directory

21. Map any request to a handler

Htaccess file know-how will do several things for you:

website noticeably faster.

AskApache Htaccess Journey

sell, or use anything on this site ;)

Specifically, .htaccess is the default file name of a special

Another requirement for emulating the NCSA server is being able to

Unlike the main server configuration files like httpd.conf

Htaccess File Syntax

When developing sites

AuthName "Under Development"

Show CGI Source Code

RemoveHandler cgi-script .pl .py .cgi

RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$

Rewrite to www dynamically

%{REQUEST_URI} !^/robots\.txt$ [NC]

301 Redirect Old File

Redirect 301 /old/file.html /new/file.html

Implementing a Caching Scheme with .htaccess

Blocking based on User-Agent Header

SetEnvIfNoCase ^User-Agent$ .*(craftbot|download|extract|stripper|sucker|ninja|c

.htaccess for mod_php

SetEnv PHPRC /location/todir/containing/phpinifile

.htaccess for php as cgi

AddHandler php-cgi .php .htm

^If-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1

Turn logging off for IP

SecFilterSelective REMOTE_ADDR "208\.113\.183\.103" "nolog,noauditlog,pass"

SecFilterSelective REMOTE_ADDR "!^208\.113\.183\.103" "nolog,noauditlog,pass"

# or added with the Action directive (see below)

## FORCE FILE TO DOWNLOAD INSTEAD OF APPEAR IN BROWSER

Handlers be builtin, included in a module, or added with Action directive

## DENY REQUEST BASED ON REQUEST METHOD

SSLRequire %{HTTP_HOST} eq "askapache.com"

%{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]

%{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]

Denies any request for a url containing characters other than

Denies any POST request that doesnt have a Content-Length Header[403

BAD Content Type

Denies any POST request with a content type other than

RewriteCond %{REQUEST_METHOD} =POST

Denies requests that dont contain a HTTP HOST Header.[403

No UserAgent, Not POST

Denies POST requests by blank user-agents. May prevent a small number of

Denies any comment attempt with a blank HTTP_REFERER field, highly

indicative of spam. May prevent some visitors from POSTING. [403

Denies obvious trackback spam. See Holy Shmoly! [403

Map all URIs except those corresponding to existing files to a

Best .htaccess Articles

.htaccess for Webmasters

* Speed Up Sites with htaccess Caching

* htaccess time cheat sheet

PHP htaccess tips

By using some cool .htaccess tricks we can control PHP to be run as a

ourselves or use .htaccess to force php to use a local php.ini file. If

Site Security with .htaccess

The order of merging is:

ISAPIAppendLogToErrors, ISAPIAppendLogToQuery, ISAPICacheFile,

Apache HTTP Server comes with the following programs

Source: Apache API notes <http://httpd.apache.org/docs/1.3/misc/API.html>

I want to have wild-subdomains (yes I have /root access/!). I want