htaccess files

Design

Block Access to Hidden Files and Directories

We try to push our code to productions servers without hidden files and directors, like our revision system directors, but that doesn't always happen. This snippet prevents those files from being accessible:

RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F]

See also
How To Block Bots, Ban IP Addresses With .htaccess

General Tips

This lets google crawl the page, lets me access without a password, and lets my client access the page WITH a password. It also allows for XHTML and CSS validation! (w3.org)
AuthName "Under Development"
AuthUserFile /web/sitename.com/.htpasswd
AuthType basic
Require valid-user
Order deny,allow
Deny from all
Allow from 208.113.134.190 w3.org htmlhelp.com googlebot.com
Satisfy Any
 
Redirect non-https requests to https server and ensure that .htpasswd authorization can only be entered across HTTPS
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "askapache.com"
ErrorDocument 403 https://askapache.com
 
block visitors referred from indicated domains
 
 RewriteEngine on
 RewriteCond %{HTTP_REFERER} scumbag\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} wormhole\.com [NC,OR]
 RewriteRule .* - [F]
 
 
Redirect to a New File
Redirect 301 /old/file.html http://www.askapache.com/new/file.html
 

SSL wildcard use with subdomains

In the .htaccess file in your public_html directory, for each subdomain that needs an SSL certificate, you will need to add the following:
 
RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} ^sub\.domain\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/sub/
RewriteRule ^(.*) /sub/$1
 
You'll want to replace sub with the appropriate data, of course.
 
 
For each subfolder you need the same lines, for example for sub1 and sub2
 
RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} ^sub1\.domain\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/sub1/
RewriteRule ^(.*) /sub1/$1
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} ^sub2\.domain\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/sub2/
RewriteRule ^(.*) /sub2/$1
 
 
In case you need to redirect all HTTP request to HTTPS you can add after rewriteengine on
 
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Securing Your sites - good htaccess ideas

Web Designer Issue 210
 
//step10//
 
//code// 
order allow,deny
deny from all
 
 
 
//code//
# prevent directory browsing
Options -Indexes
 
//step17//
 
//code//
 
# return 403 Forbidden when someone puts script tags or GLOBALS or _REQUEST stuff in the URL
#
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
 
 

Use htaccess file to secure configuration files

 
Options -Indexes
 
order allow,deny
deny from all
 
 
order allow,deny
deny from all
 

 

Further Reading

.htaccess URL Rewriting Tool

htaccess tester

The Answers to all your concerns about the Spam in Google Analytics

Advanced PHP Error Handling via htaccess : Perishable Press

Stupid htaccess Tricks | Perishable Press

How to use the htaccess file

Book Store | .htaccess made easy this is a book.

Snippets of code to use in htaccess.

.Htaccess Redirect Generator
Free htaccess redirect generator for directory, pages, apache https to http, 301 redirects,302, 404, password, 500, ip blocking,hotlinks, error pages rewrite rules online.
How do I Force my Website to use SSL? | Web Hosting Hub
Redirect customers to the secure https version of your website, you can modify your .htaccess to handle the redirect.

http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html

http://www.askapache.com/htaccess/ssl-example-usage-in-htaccess.html#redirect-http-to-https

This page contains information I gathered and thought were very useful. See more notes on the web.

Just to let you know, this page was last updated Saturday, Sep 18 21