Monday, 2 July 2012

.htacceess tricks and tips

.htaccess is a powerful and essential thing for your apache web server. When you place your custom .htaccess file into your web root directory it will automatically executed through your webserver. And help to protect your files, directories and sub directories with help of .htaccess rules.

.htaccess stands hypertext access file. .htaccess file that defaultly resides into your php installation directory. 

You can place custom .htaccess file into your web directory too for file, directory and sub directory protection. For that just create one .htaccess file with the rules inside it.

lets look at some tips and tricks inside it.

To comment code in .htaccess

Commenting is essential thing for understanding the code / rule that you have specified for your server protection. Comment can be done with the help of leading symbol "#" which is called pound sign. For multiple line comment multiple # are required in .htaccess.
Ex. 
                 # This is comment line leading with pound sign
                 # Line two with another pound sign 

Enable Basic Rewriting Mode/ Engine

Rewriting mode - "mod_rewrite" is not enable in many servers defaultly, so, first just use line to enable "mod_rewrite". This will help you to add rewriting rules to servers.
Ex. 
                  # Enable Rewrite Engin  
                     RewriteEngin on

Enable Symbolic Links (FollowSymLinks)

FollowSymLinks is a directive in your web server configuration that tells your web server to follow so called symbolic links. As one would expect, FollowSymLinks is an acronym for Follow Symbolic Links. FollowSymLinks is a very important setting that plays a role in your website security.

Simply saying to show your image path which is not actual done by FolloSymLinks enabling. For working of this required to turn on the AllowOverride Option.
Ex.
     Options +FollowSymLinks
Enable AllowOverride Option

When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.

When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.
Ex.      
AllowOverride All | None | directive-type      
For more infor about allow override visit :             
 http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
Rename .htaccess File

To protect and to hide content of .htaccess file its essential to rename the file with other name.
Note: This directive must be placed in the server-wide configuration file or it will not work:
# rename htaccess files
AccessFileName ht.access
Note: If you rename your htaccess files, remember to update any associated configuration settings. For example, if you are protecting your htaccess file via FilesMatch, remember to inform it of the renamed files:
# protect renamed htaccess files
<FilesMatch "^ht\.">
Order deny,allow
Deny from all
</FilesMatch> 
Make Custom Directory Index File

It is possible to change your default index file to some other location even in some directory with the help of following code.
Ex.
     DirectoryIndex index.html index.php index.htm
Set Custom Error Page

Replicate the following patterns to serve your own set of custom error pages. Simply replace the “/errors/###.html” with the correct path and file name. Also change the “###” preceding the path to pages for other errors. 

Note: your custom error pages must be larger than 512 bytes in size or they will be completely ignored by Internet Explorer:
# serve custom error pages 
ErrorDocument 400 /errors/400.html 
ErrorDocument 401 /errors/401.html 
ErrorDocument 403 /errors/403.html 
ErrorDocument 404 /errors/404.html 
ErrorDocument 500 /errors/500.html
# provide a universal error documentRewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule ^.*$ /dir/error.php [L]
Prevent Access to Specific File

To restrict access to a specific file, add the following code block and edit the file name, “secretfile.jpg”, with the name of the file that you wish to protect:
# prevent viewing of a specific file
<files secretfile.jpg>
order allow,deny
deny from all
</files>
Prevent access to multiple file types

To restrict access to a variety of file types, add the following code block and edit the file types within parentheses to match the extensions of any files that you wish to protect:
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)quot;>
Order Allow,Deny
Deny from all
</FilesMatch>
Prevent Unauthorized Directory Browsing

Very essential for hiding your directory index view.

Prevent unauthorized directory browsing by instructing the server to serve a “xxx Forbidden – Authorization Required” message for any request to view a directory. For example, if your site is missing it’s default index page, everything within the root of your site will be accessible to all visitors. To prevent this, include the following htaccess rule:
# disable directory browsing
Options All -Indexes
Conversely, to enable directory browsing, use the following directive:
# enable directory browsing
Options All +Indexes
Likewise, this rule will prevent the server from listing directory contents:
# prevent folder listing
IndexIgnore * 
And, finally, the IndexIgnore directive may be used to prevent the display of select file types:
# prevent display of select file types
IndexIgnore *.wmv *.mp4 *.avi *.etc
Redirect From Old URL to New URL / Redirect from One Domain to Another With 301 Redirect

Redirect an entire site via 301:
# redirect an entire site via 301
redirect 301 / http://www.domain.com/
Redirect a specific file via 301:
# redirect a specific file via 301
redirect 301 /current/currentfile.html http://www.newdomain.com/new/newfile.html
Redirect an entire site via permanent redirect:
# redirect an entire site via permanent redirect
Redirect permanent / http://www.domain.com/
Redirect a page or directory via permanent redirect:
# redirect a page or directory
Redirect permanent old_file.html http://www.new-domain.com/new_file.html
Redirect permanent /old_directory/ http://www.new-domain.com/new_directory/
Redirect browser to https (ssl)

Add following snippet to your htaccess and redirect entire website to https.
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Replace .php file extension with any other like .htm or .html or .asp or .pl (Any Desired extension)

It is very convinient and easy to replace the .php extension for security. It can be easily be shown like .htm and .html or some else with following code.
AddType application/x-httpd-php .htmlor for .htm extension
AddType application/x-httpd-php .html 
If your extension of php file is .php5 then replace http-php with httpd-php5 .yourDesiered 
 If you are looking to replace only one page url, means only for one page say pageName.html or file.html file then it is convenient  to use file directory tag
<FIles pageName.html>
AddType application/x-httpd-php .html
</Files>
 Hide extension of files

Its also very easy to hide .php extension in your webpage. Add following code to your .htaccess file. Your page will look like www.yourDomain.com/pageName instead of www.yourDomain.com/pageName.php
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php