Apache Htaccess Referance - Jan Zumwalt

7/31/2019 Apache Htaccess Referance - Jan Zumwalt

1/45

This and many other developer references available at http:/neatinfo.com/

by

dev_notes/_cheat-sheets

an Zumwalt - NeatInfo.com


2/45

Pg 2 of 45

By: Jan Zumwalt - NeatInfo.com May 15, 2012Apache / Htaccess Reference Copyright 2005-2012

Notes

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

____________________________________________________________________________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

____________________________________________________________________________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

____________________________________________________________________________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________

______________________________________________________________


3/45

Pg 3 of 45


Table of Contents

Section - 1 .htaccess tips and tricks ......................... ......................... ......................... ...................... ............. 6

Introduction to .htaccess.. .................................................................................................................................................... 6

.htaccess files are invisible ....................................................................................................................................................... 6

What are.htaccess files anyway? ........................................................................................................................................ 7

Is .htaccess enabled? .......................................................................................................................................................... 7

Section - 2 What .htaccess can do ........................ ...................... ......................... ......................... ................ 8

Control access.. ................................................................................................................................................................... 8

Custom error documents...................................................................................................................................................... 8

Password protected directories.. .......................................................................................................................................... 9

Get better protection.. ........................................................................................................................................................ 10

500 error.. .......................................................................................................................................................................... 10

Groovy things to do with .htaccess.. .................................................................................................................................. 10

custom directory index files ................................................................................................................................................ 11

Save bandwidth with .htaccess! ......................................................................................................................................... 11

Hide and deny files.. .......................................................................................................................................................... 12

..................................................................................................................................................................... 12

More stuff.. ......................................................................................................................................................................... 13

over to you.. ....................................................................................................................................................................... 14

Section - 3 htaccess ....................... ......................... ......................... ......................... ...................... ........... 15

Apache Gzip Compression ................................................................................................................................................ 15

Another method ................................................................................................................................................................. 15

Rails Cache ........................................................................................................................................................................ 15

Redirect Not-WWW to WWW ............................................................................................................................................. 16

Section 4 from www to non-www ........................ ...................... ......................... ......................... .............. 17

Security Rules .................................................................................................................................................................... 17

Enable Directory Browsing ................................................................................................................................................. 17

Disable Directory Browsing ................................................................................................................................................ 17

Customize Error Messages ................................................................................................................................................ 17

Get SSI working with HTML/SHTML .................................................................................................................................. 18

Change Default Page (order is followed!) .......................................................................................................................... 18

Block Users from accessing the site .................................................................................................................................. 18

Allow only LAN users ......................................................................................................................................................... 18Redirect Visitors to New Page/Directory ............................................................................................................................ 18

Block site from specific referrers ........................................................................................................................................ 18

Want to show a Stealing is Bad message too? ........... .......... .......... .......... .......... ........... ......... ........... ......... ............ .... 18

Stop .htaccess (or any other file) from being viewed ......................................................................................................... 18

Avoid the 500 Error ............................................................................................................................................................ 19

Grant CGI Access in a directory ........ ........... ......... ............ ......... ........... ......... ........... ......... ........... .......... .......... .......... ....... 19

Password Protecting Directories ........................................................................................................................................ 19

Change Script Extensions .................................................................................................................................................. 19

Use MD5 Digests ............................................................................................................................................................... 19


4/45

Pg 4 of 45


The CheckSpelling Directive .............................................................................................................................................. 19

The ContentDigest Directive .............................................................................................................................................. 19

Enable Gzip to Save Bandwidth ........ ........... ......... ............ ......... ........... ......... ........... ......... ........... .......... .......... .......... ....... 19

Turn off magic_quotes_gpc .................................................................................................................................................. 20

Set an Expires header and enable Cache-Control ............................................................................................................. 20

Skip the download dialogue using .htaccess...................................................................................................................... 20

Using htaccess to Prevent Hacking ................................................................................................................................... 20

301 Website Redirect ......................................................................................................................................................... 21

Turning on Server Side Includes (SSI) ........... ......... ........... .......... .......... .......... .......... ........... ......... ........... ......... ............ .... 21

Parse HTML files as PHP .................................................................................................................................................. 22

Section 5 Redirecting and Rewriting ...................... ......................... ......................... ...................... ........... 23

beginning rewriting.. ........................................................................................................................................................... 23

simple rewriting .................................................................................................................................................................. 24

not-so-simple rewriting ... flat links and more ..................................................................................................................... 25shortening URLs ................................................................................................................................................................ 27

capturing variables ............................................................................................................................................................. 27

cooler access denied ......................................................................................................................................................... 29

Ban User Agents, referrers, script-kiddies and more.. ....................................................................................................... 30

Don't let just anyonehammer your site! ............................................................................................................................. 31

prevent hot-linking .............................................................................................................................................................. 31

lose the "www" ................................................................................................................................................................... 32

multiple domains in one root .............................................................................................................................................. 32

automatic translation .......................................................................................................................................................... 33

httpd.conf ........................................................................................................................................................................... 34

inheritance.. ....................................................................................................................................................................... 34

cookies ............................................................................................................................................................................... 35

conclusion .......................................................................................................................................................................... 36

Section 6 Troubleshooting Tips .................... ......................... ......................... ....................... ................... 38

Fatal Redirection ................................................................................................................................................................ 38

rewrite logging.. .................................................................................................................................................................. 38

debug-report.php ............................................................................................................................................................... 39

Back Page ....................................................................................................................................................... 45

Documenation .................................................................................................................................................................... 45http://www.htaccesseditor.com/en.shtml ............................................................................................................................ 45

Tutorials ............................................................................................................................................................................. 45

References......................................................................................................................................................................... 45


5/45

Pg 5 of 45


Note: This is a new document and is not

fully formatted (a work in progress).

2012-03-18


6/45

By: Jan Zumwalt - NeatInfo.comApache / Htaccess Reference

.

Much of the material presented her

Introduction to .htacces

This work in constant progress is socommands I've used successfully inhave to tweak the examples some tpreferably one with a very similar s..a win32 Apache mirror of corz.org

.htaccess files are invisible

There's a good reason why you wo

configured to ignore them, by defauyou see?

If you don't see, you'll need to disaballows you to open hidden files, so

explorer should allow any text edito

know how to find them without any

that same folder, as seen from Mac OS X

In both images, the operating systesometimes. You will also need to in

By the way; the windows screencap

my clever 404 script.

Pg 6 of 45

Section - 1htaccess tips and tricks

is based on an excellent tutorial at http://corz

s..me collected wisdom, stuff I've learned on the tothe past, on a variety of server setups, and in m

o get the desired result, though, and a reliable tetup to your "live" server. Okay, to begin..

't see .htaccess files on the web; almost every w

lt. Same goes for most operating systems. Mainl

le your operating system's invisible file functions,ething like bbedit on the Mac platform. On windo

to open them, and most decent editors to save t

elp from me.

has been instructed to display invisible files. ugtruct your ftp client to do the same.

is more recent than the mac one, moved files ar

May 15, 2012Copyright 2005-2012

.org/serv/tricks/

pic of .htaccess hacking,ost cases still do. You mayt server is a powerful ally,

eb server in the world is

it's the dot "." at the start,

or use a text editor thatws, showing invisibles in

hem too**. Linux dudes

ly, but necessary

e likely being handled by


7/45

Pg 7 of 45


** even notepad can save files beginning with a dot, if you put double-quotes around the name when you saveit; i.e.. ".htaccess". You can also use your ftp client to rename files beginning with a dot, even on your localfilesystem; works great in FileZilla.

What are .htaccess files anyway?

Simply put, they are invisible plain text files where one can store server directives. Server directives areanything you might put in an Apache config file (httpd.conf) or even a php.ini**, but unlike those "master"

directive files, these .htaccess directives apply only to the folder in which the .htaccess file resides, and all thefolders inside.

This ability to plant .htaccess files in any directory of our site allows us to set up a finely-grained tree of serverdirectives, each subfolder inheriting properties from its parent, whilst at the same time adding to, or over-ridingcertain directives with its own .htaccess file. For instance, you could use .htacces to enable indexes all over yoursite, and then deny indexing in only certain subdirectories, or deny index listings site-wide, and allow indexing incertain subdirectories. One line in the .htaccess file in your root and your whole site is altered. From here on, I'llprobably refer to the main .htaccess in the root of your website as "the master .htaccess file", or "main".htaccess file.

There's a small performance penalty for all this .htaccess file checking, but not noticeable, and you'll find most ofthe time it's just on and there's nothing you can do about it anyway, so let's make the most of it..

** Your main php.ini, that is, unless you are running under phpsuexec, in which case the directives would go

inside individualphp.ini files

Is .htaccess enabled?It's unusual, but possible that .htaccess is not enabled on your site. If you are hosting it yourself, it's easyenough to fix; open your httpd.conf in a text editor, and locate this section..

YourDocumentRoot may be different, of course..

# This should be changed to whatever you set DocumentRoot to.#

#

..locate the line that reads..

AllowOverride None

..and change it to..

AllowOverride All

Restart Apache. Now .htaccess will work. You can also make this change inside a virtual host, which wouldnormally be preferable.

If your site is hosted with someone else, check your control panel (Plesk. CPanel, etc.) to see if you can enableit there, and if not, contact your hosting admins. Perhaps they don't allow this. In which case, switch to a betterweb host.


8/45

Pg 8 of 45


Section - 2What .htaccess can do

Almost any directive that you can put inside an httpd.conf file will also function perfectly inside an .htaccessfile. Unsurprisingly, the most common use of .htaccess is to..

Control access...htaccess is most often used to restrict or deny access to individual files and folders. A typical example would bean "includes" folder. Your site's pages can call these included scripts all they like, but you don't want usersaccessing these files directly, over the web. In that case you would drop an .htaccess file in the includes folderwith content something like this..

NO ENTRY!

# no one gets in here!deny from all

which would deny ALL direct access to ANY files in that folder. You can be more specific with your conditions,for instance limiting access to a particular IP range, here's a handy top-level rule for a local test server..

NO ENTRY outside of the LAN!

# no nasty crackers in here!order deny,allowdeny from allallow from 192.168.0.0/24# this would do the same thing..#allow from 192.168.0

Generally these sorts of requests would bounce off your firewall anyway, but on a live server (like my dev mirrorsometimes is) they become useful for filtering out undesirable IP blocks, known risks, lots of things. By the way,in case you hadn't spotted; lines beginning with "#" are ignored by Apache; handy for comments.

Sometimes, you will only want to ban one IP, perhaps some persistent robot that doesn't play by the rules..

post user agent every fifth request only. hmmm. ban IP..

# someone else giving the ruskies a bad name..order allow,denydeny from 83.222.23.219allow from all

The usual rules for IP addresses apply, so you can use partial matches, ranges, and so on. Whatever, the usergets a 403 "access denied" error page in their client software (browser, usually), which certainly gets the

message across. This is probably fine for most situations, but in part two I'll demonstrate some cooler ways todeny access, as well as how to deny those nasty web suckers, bad referrers, script kiddies and more.

Custom error documents..I guess I should briefly mention that .htaccess is where most folk configure their error documents. Usually withsommething like this..

the usual method. the "err" folder (with the custom pages) is in the root

# custom error documentsErrorDocument 401 /err/401.php

ErrorDocument 403 /err/403.phpErrorDocument 404 /err/404.phpErrorDocument 500 /err/500.php

You can also specify external URLs, though this can be problematic, and is best avoided. One quick and simplemethod is to specify the text in the directive itself, you can even use HTML (though there is probably a limit to

how much HTML you can squeeze onto one line). Remember, for Apache 1; begin with a ", but DO NOT endwith one. For Apache 2, you can put a second quote at the end, as normal.

measure twice, quote once..


9/45

Pg 9 of 45


# quick custom error "document"..ErrorDocument 404 "NO!There is nothing here.. goaway quickly!

Using a custom error document is a Very Good Idea, and will give you a second chance at your almost-lost

visitors. I recommend you download mine. But then, I would.

Password protected directories..The next most obvious use for our .htaccess files is to allow access to only specific users, or user groups, inother words; password protected folders. a simple authorisation mechanism might look something like this..

a simple sample .htaccess file for password protection:

AuthType Basic

AuthName "restricted area"AuthUserFile /usr/local/var/www/html/.htpassesrequire valid-user

You can use this same mechanism to limit only certain kinds of requests, too..

only valid users can POST in here, anyone can GET, PUT, etc:

AuthType BasicAuthName "restricted area"AuthUserFile /usr/local/var/www/html/.htpassesrequire valid-user

You can find loads of online examples of how to setup authorization using .htaccess, and so long as you havea real user (or create one, in this case, 'jimmy') with a real password (you will be prompted for this, twice) in areal password file (the -c switch will create it)..

htpasswd -c /usr/local/var/www/html/.htpasses jimmy

..the above will work just fine. htpasswd is a tool that comes free with Apache, specifically for making andupdating password files, check it out. The windows version is the same; only the file path needs to be changed;to wherever you want to put the password file.

Note: if the Apache bin/ folder isn't in your PATH, you will need to cd into that directory before performing thecommand. Also note: You can use forward and back-slashes interchangeably with Apache/php on Windows, sothis would work just fine.

htpasswd -c c:/unix/usr/local/Apache2/conf/.htpasses jimmy

Relative paths are fine too; assuming you were inside the bin/ directory of our fictional Apache install, thefollowing would do exactly the same as the above.

htpasswd -c ../conf/.htpasses jimmy

Naming the password file .htpasses is a habit from when I had to keep that file inside the web site itself, and

as web servers are configured to ignore files beginning with .ht, they too, remain hidden. If you keep yourpassword file outside the web root (a better idea), then you can call it whatever you like, but the.ht_something habit is a good one to keep, even inside the web tree, it is secure enough for our basic

purpose..

Once they are logged in, you can access the remote_user environmental variable, and do stuff with it..

the remote_user variable is now available..

RewriteEngine onRewriteCond %{remote_user} !^$ [nc]RewriteRule ^(.*)$ /users/%{remote_user}/$1

Which is a handy directive, utilizing mod_rewrite; a subject I delve into far more deeply, in part two.


10/45

Pg 10 of 45


Get better protection..The authentication examples above assume that your web server supports "Basic" http authorisation, as far as Iknow they all do (it's in the Apache core). Trouble is, some browsers aren't sending password this way any

more, personally I'm looking to php to cover my authorization needs. Basic auth works okay though, even if it

isn't actually very secure - your password travels in plain text over the wire, not clever.

If you have php, and are looking for a more secure login facility, check out pajamas. It's free. If you are lookingfor a password-protected download facility (and much more, besides), check out my distro machine, also free.

500 error..If you add something that the server doesn't understand or support, you will get a 500 error page, aka.. "theserver did a boo-boo". Even directives that work perfectly on your test server at home may fail dramatically atyour real site. In fact this is a great way to find out if .htaccess files are enabled on your site; create one, putsome gibberish in it, and load a page in that folder, wait for the 500 error. if there isn't one, probably they are notenabled.

If they are, we need a way to safely do live-testing without bringing the whole site to a 500 standstill.

Fortunately, in much the same way as we used the tag above, we can create conditional directives,things which will only come into effect if certain conditions are true. The most useful of these is the "ifModule"condition, which goes something like this..

only if PHP is loaded, will this directive have any effect (switch the 4 for a 5 if using php5)

php_value default_charset utf-8

..which placed in your master .htaccess file, that would set the default character encoding of your entire site toutf-8 (a good idea!), at least, anything output by PHP. If the PHP4** module isn't running on the server, the

above .htaccess directive will do exactly nothing; Apache just ignores it. As well as proofing us against knockingthe server into 500 mode, this also makes our .htaccess directives that wee bit more portable. Of course, if yoursyntax is messed-up, no amount of if-module-ing is going to prevent a error of some kind, all the more reason topractice this stuff on a local test server.

** note: if you are using php5, you would obviously instead use .

Groovy things to do with .htaccess..So far we've only scratched the surface. Aside from authorisation, the humble .htaccess file can be put to all

kinds of uses. If you've ever had a look in my public archives you will have noticed that that the directories arefully browsable, just like in the old days before adult web hosts realized how to turn that feature off! A line like

this..bring back the directories!

Options +Indexes +MultiViews +FollowSymlinks

..will almost certainly turn it back on again. And if you have mod_autoindex.c installed on your server(probably, yes), you can get nice fancy indexing, too..

show me those files!

IndexOptions FancyIndexing


11/45

Pg 11 of 45


..which, as well as being neater, allows users to click the titles and, for instance, order the listing by date, or filesize, or whatever. It's all for free too, built-in to the server, we're just switching it on. You can control certainparameters too..

let's go all the way!

IndexOptions FancyIndexing IconHeight=16 IconWidth=16

Other parameters you could add include.

NameWidth=30DescriptionWidth=30IconsAreLinks SuppressHTMLPreamble (handy!)

I'm not mentioning the "XHTML" parameter in Apache2, because it still isn't! Anyways, I've chucked one of my

old fancy indexing .htaccess file onsite for you to have some fun with. Just add readme.html and away yougo! note: these days I use a single header files for all the indexes.

HeaderName /inc/header.html

.. and only drop in local "readme" files. Check out the example, and my public archives for more details.

custom directory index filesWhile I'm here, it's worth mentioning that .htaccess is where you can specify which files you want to use as

your indexes, that is, if a user requests /foo/, Apache will serve up /foo/index.html, or whatever file youspecify.

You can also specify multiple files, and Apache will look for each in order, and present the first one it finds. It'sgenerally setup something like.

DirectoryIndex index.html index.php index.htm

It really is worth scouting around the Apache documentation, often you will find controls for things you imaginedwere uncontrollable, thereby creating new possibilities, better options for your website. My experience of themagic "LAMP" (Linux-Apache-MySQL-PHP) has been.. "If you can imagine that it can be done, it can be done".Swap "Linux" for any decent operating system, the "AMP" part runs on most of them.

Okay, so now we have nice fancy directories, and some of them password protected, if you don't watch out,you're site will get popular, and that means bandwidth..

Save bandwidth with .htaccess!If you pay for your bandwidth, this wee line could save you hard cash..

save me hard cash! and help the internet!

php_value zlib.output_compression 16386

All it does is enables PHP's built-in transparent zlib compression. This will half your bandwidth usage in onestroke, more than that, in fact. Of course it only works with data being output by the PHP module, but if youdesign your pages with this in mind, you can use php echo statements, or better yet, php "includes" for your


12/45

Pg 12 of 45


plain html output and just compress everything! Remember, if you run phpsuexec, you'll need to put php

directives in a local php.ini file, not .htaccess. See here for more details.

Hide and deny files..Do you remember I mentioned that any file beginning with .ht is invisible? .."almost every web server in theworld is configured to ignore them, by default" and that is, of course, because .ht_anything files generally haveserver directives and passwords and stuff in them, most servers will have something like this in their mainconfiguration..

Standard setting..

Order allow,denyDeny from allSatisfy All

which instructs the server to deny access to any file beginning with .ht, effectively protecting our .htaccess and

other files. The "." at the start prevents them being displayed in an index, and the .ht prevents them beingaccessed. This version..

ignore what you want

Order allow,deny

Deny from allSatisfy All

tells the server to deny access to *.log files. You can insert multiple file types into each rule, separating themwith a pipe "|", and you can insert multiple blocks into your .htaccess file, too. I find it convenient to put all thefiles starting with a dot into one, and the files with denied extensions into another, something like this..

the whole lot

# deny all .htaccess, .DS_Store $h and ._* (resource fork) filesOrder allow,denyDeny from allSatisfy All

# deny access to all .log and .comment filesOrder allow,denyDeny from allSatisfy All

would cover all ._* resource fork files, .DS_Store files (which the Mac Finder creates all over the place) *.logfiles, *.comment files and of course, our .ht* files. You can add whatever file types you need to protect fromdirect access. I think it's clear now why the file is called ".htaccess".

These days, using is preferred over , mainly because you can use regular expressionin the conditions (very handy), produce clean, more readable code. Here's an example. which I use for my php-generated style sheets..

parse file.css and file.style with the php machine..

# handler for phpsuexec..


13/45

Pg 13 of 45


SetHandler application/x-httpd-php

Any files with a *.css or *.style extension will now be handled by php, rather than simply served up by

Apache. And because you can use regexp, you could do stuff like , which is

handy. Any statements you come across can be advantageously replaced by statements. Good to know.

More stuff..At the end of my .htaccess files, there always seems to be a section of "stuff"; miscellaneous commands, mainlyphp flags and switches; so it seems logical to finish up the page with a wee selection of those..

php flags, switches and other stuff..

# let's enable php (non-cgi, aka. 'module') for EVERYTHINGEVERYTHINGEVERYTHINGEVERYTHING..'

AddType application/x-httpd-php5 .htm .html .php .blog .comment .inc

# better yet..AddHandler php5-script .php

# legacy php4 version..'AddType application/x-httpd-php .htm .html .php .blog .comment .inc

# don't even think about setting this to 'on'php_value register_globals off

# no session id's in the URL PULEEZE!php_value session.use_trans_sid 0# should be the same as..

php_flag session.use_trans_sid off# using both should also work fine!

# php error logs..php_flag display_errors offphp_flag log_errors onphp_value track_errors onphp_value error_log /home/cor/errors/phperr.log

# if you like to collect interesting php system shell access and web hack scripts# get yourself a SECURE upload facility, and just let the script-kiddies come

# in no time you will have a huge selection of fascinating code. If you want folk to# also upload zips and stuff, you might want to increase the upload capacities..

php_value upload_max_filesize 12Mphp_value post_max_size 12M

# php 5 only, afaik. handy when your server isn't where YOU are.

php_value date.timezone Europe/Aberdeen# actually, Europe/Aberdeen isn't a valid php timezone, so that won't work.# I recommend you check the php manual for this function, because many crazy places ARE!

Note: For most of the flags I've tested, you can use on/off and true/false interchangeably, as well as 0/1,

also php_value and php_flag can be switched around while things continue to work as expected! I guess,logically, booleans should always be php_flag, and values, php_value; but suffice to say, if some php erm,directive isn't working, these would all be good things to fiddle with!

Of course, the php manual explains all. The bottom line is; both will work fine, but if you use the wrong type in

.htaccess, say, set a php_flag using php_value, a php ini_get() command, for instance, would return

true, even though you had set the value to off, because it reads off value as a string, which of course

evaluates to not-zero, i.e. 1, or "true". If you don't rely on get_ini(), or similar, it's not a problem, thoughclearly it's better to get it right from the start. By the way; one of the values above is incorrectly set. Did you spotit?

Most php settings, you can override inside your actual scripts, but I do find it handy to be able to set defaults fora folder, or an entire site, using .htaccess.


14/45

Pg 14 of 45


over to you..That should get you started with .htaccess, quite easy when you know how. If you really want to bend your brainout of shape, follow the link below for part two of the series, where I delve into the arcane mysteries of URLrewriting.


15/45

Pg 15 of 45


Section - 3htaccess

Apache Gzip CompressionThe following snippet enables the Gzip compression for everything except compressed images. Gzipping yourcontent usually reduces the response size by about 70%. Do you want to learn more? Watch how Gzipcompression works and why its so important.

# Enables compression for everything except compressed images.

# See http://httpd.apache.org/docs/2.0/mod/mod_deflate.html

# Required mod_deflate and mod_headers

# Insert filter

SetOutputFilter DEFLATE

# Netscape 4.x has some problems...

BrowserMatch ^Mozilla/4 gzip-only-text/html

# Netscape 4.06-4.08 have some more problems

BrowserMatch ^Mozilla/4\.0[678] no-gzip

# MSIE masquerades as Netscape, but it is fine

# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48

# the above regex won't work. You can use the following

# workaround to get the desired effect:

BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Don't compress images

SetEnvIfNoCase Request_URI \

\.(?:gif|jpe?g|png)$ no-gzip dont-vary

# Make sure proxies don't deliver the wrong content

Header append Vary User-Agent env=!dont-vary

Another method

# compress text, html, javascript, css, xml:

AddOutputFilterByType DEFLATE text/plain

AddOutputFilterByType DEFLATE text/html

AddOutputFilterByType DEFLATE text/xml

AddOutputFilterByType DEFLATE text/css

AddOutputFilterByType DEFLATE application/xml

AddOutputFilterByType DEFLATE application/xhtml+xml

AddOutputFilterByType DEFLATE application/rss+xml

AddOutputFilterByType DEFLATE application/javascript

AddOutputFilterByType DEFLATE application/x-javascript

Rails Cache


16/45

Pg 16 of 45


The following two snippets are meant to be used in combination with Rails page caching. They instruct Apacheto look for a cached resource in the /cache folder and serve the content from the directory if the file exists.

RewriteEngine On

RewriteCond %{DOCUMENT_ROOT}/cache%{REQUEST_URI}.html -f

RewriteRule ^(.*)$ /cache/$1.html [QSA,L]

RewriteEngine On

RewriteCond %{DOCUMENT_ROOT}/cache/%{HTTP_HOST}%{REQUEST_URI}.html -f

RewriteRule ^(.*)$ /cache/%{HTTP_HOST}/$1.html [QSA,L]

Redirect Not-WWW to WWW

This is a really generic Not-WWW to WWW configuration script. Unlike most existing scripts, it doesnt force youto manually inject the server name. Just include the snippets and youre ready. If you are looking for a lessexotic configuration, have a look at the How to 301 redirect Not-WWW to WWW version question at SearchMarketing Arena.

# More details available at http://www.askapache.com/htaccess/http-https-rewriterule-redirect.html

RewriteEngine On

RewriteCond %{SERVER_PORT}s ^(443(s)|[0-9]+s)$

RewriteRule ^(.+)$ - [env=thes:%2]

RewriteCond %{HTTP_HOST} !^www\.(.+) [NC]

RewriteRule ^/(.*)$ http%{ENV:thes}://www.%{HTTP_HOST}/$1 [R=301,L]

The conventional approach is

RewriteEngine on

RewriteCond % ^yourdomain.com [NC]

RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [L,R=301]


17/45

Pg 17 of 45


Section 4from www to non-www

RewriteEngine on

RewriteCond % ^www.yourdomain.com [NC]

RewriteRule ^(.*)$ http://yourdomain.com/$1 [L,R=301

Security Rules

In the attempt to reduce the amount of spam comments sent to my blogs, I extracted some recurrent patternsfrom my server logs and created some super-simple rules to kick out automated script. Basically, this is thesame idea behind mod_security, with the (huge) difference my set of rules it much more simple but much morelightweight.

# Block some user agents from posting

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^-$ [OR]

RewriteCond %{HTTP_USER_AGENT} ^(Jakarta\sCommons\-HttpClient) [NC]

RewriteCond %{REQUEST_METHOD} ^POST$

RewriteRule . - [F,L]

# Block libwww-perl/5.805 from attempting to exploit security vulnerabilities

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^libwww\-perl/.+ [NC]

RewriteCond %{QUERY_STRING} .


# Block generic Java-based clients

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^Java/1\.6\.0_04 [NC]RewriteRule . - [F,L]

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} ^\-$ [NC]


All configuration snippets are available free of charge and without any warranty. Use them at your own risk.

Enable Directory Browsing

Options +Indexes

## block a few types of files from showingIndexIgnore *.wmv *.mp4 *.avi

Disable Directory Browsing

Options All -Indexes

Customize Error Messages

ErrorDocument 403 /forbidden.html

ErrorDocument 404 /notfound.html

ErrorDocument 500 /servererror.html


18/45

Pg 18 of 45


Get SSI working with HTML/SHTML

AddType text/html .html

AddType text/html .shtml

AddHandler server-parsed .html

AddHandler server-parsed .shtml

# AddHandler server-parsed .htm

Change Default Page (order is followed!)

DirectoryIndex myhome.htm index.htm index.php

Block Users from accessing the site

order deny,allow

deny from 202.54.122.33

deny from 8.70.44.53

deny from .spammers.com

allow from all

Allow only LAN users

order deny,allow

deny from all

allow from 192.168.0.0/24

Redirect Visitors to New Page/DirectoryRedirect oldpage.html http://www.domainname.com/newpage.html

Redirect /olddir http://www.domainname.com/newdir/

Block site from specific referrers

RewriteEngine on

RewriteCond %{HTTP_REFERER} site-to-block\.com [NC]

RewriteCond %{HTTP_REFERER} site-to-block-2\.com [NC]

RewriteRule .* - [F]

Block Hot Linking/Bandwidth hogging

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]

RewriteRule \.(gif|jpg)$ - [F]

Want to show a Stealing is Bad message too?

Add this below the Hot Link Blockingcode:

RewriteRule \.(gif|jpg)$ http://www.mydomain.com/dontsteal.gif [R,L]

Stop .htaccess (or any other file) from being viewed

order allow,deny


19/45

Pg 19 of 45


deny from all

Avoid the 500 Error

# Avoid 500 error by passing charset

AddDefaultCharset utf-8

Grant CGI Access in a directory

Options +ExecCGI

AddHandler cgi-script cgi pl

# To enable all scripts in a directory use the following

# SetHandler cgi-script

Password Protecting Directories

Use the .htaccess Password Generator and follow the brief instructions!

Change Script Extensions

AddType application/x-httpd-php .gne

gne will now be treated as PHP files! Similarly, x-httpd-cgi for CGI files, etc.

Use MD5 Digests

Performance may take a hit but if thats not a problem, this is a nice option to turn on.

ContentDigest On

The CheckSpelling Directive

From Jens Meiert: CheckSpelling corrects simple spelling errors (for example, if someone forgets a letter or ifany character is just wrong). Just add CheckSpelling On to your htaccess file.

The ContentDigest Directive

As the Apache core features documentation says: This directive enables the generation of Content-MD5headers as defined in RFC1864 respectively RFC2068. The Content-MD5 header provides an end-to-endmessage integrity check (MIC) of the entity-body. A proxy or client may check this header for detectingaccidental modification of the entity-body in transit.

Note that this can cause performance problems on your server since the message digest is computed on everyrequest (the values are not cached). Content-MD5 is only sent for documents served by the core, and not byany module. For example, SSI documents, output from CGI scripts, and byte range responses do not have thisheader.

To turn this on, just add ContentDigest On.

Enable Gzip to Save Bandwidth

# BEGIN GZIP

# Combine the below two lines - I've split it up for presentation

AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css

application/x-javascript application/javascript


20/45

Pg 20 of 45


# END GZIP

Turn off magic_quotes_gpc

# Only if you use PHP

php_flag magic_quotes_gpc off

Set an Expires header and enable Cache-Control

ExpiresActive On

ExpiresDefault "access plus 1 seconds"

ExpiresByType text/html "access plus 7200 seconds"

ExpiresByType image/gif "access plus 518400 seconds"

ExpiresByType image/jpeg "access plus 518400 seconds"ExpiresByType image/png "access plus 518400 seconds"

ExpiresByType text/css "access plus 518400 seconds"

ExpiresByType text/javascript "access plus 216000 seconds"

ExpiresByType application/x-javascript "access plus 216000 seconds"

# Cache specified files for 6 days

Header set Cache-Control "max-age=518400, public"

# Cache HTML files for a couple hours

Header set Cache-Control "max-age=7200, private, must-revalidate"

# Cache PDFs for a day

Header set Cache-Control "max-age=86400, public"

# Cache Javascripts for 2.5 days

Header set Cache-Control "max-age=216000, private"

Skip the download dialogue using .htaccess

Usually when you try to download something from a web server you get a request asking whether you want tosave the file or open it. To avoid that you can use the below code on your .htaccess file

AddType application/octet-stream .pdf

AddType application/octet-stream .zip

AddType application/octet-stream .mov

Using htaccess to Prevent Hacking


21/45

Pg 21 of 45


If you want to increase the security level of your website, you can chuck these few lines of codes to preventsome common hacking techniques by detecting malicious URL patterns.

RewriteEngine On

# proc/self/environ? no way!

RewriteCond %{QUERY_STRING} proc/self/environ [OR]

# Block out any script trying to set a mosConfig value through the URLRewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

# Block out any script trying to base64_encode crap to send via URL

RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]

# Block out any script that includes a tag in URL

RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL

RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]

# Block out any script trying to modify a _REQUEST variable via URL

RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})

# Send all blocked request to homepage with 403 Forbidden error!

RewriteRule ^(.*)$ index.php [F,L]

301 Website RedirectDid you know that search engine crawlers think that 'www.spauldinghill.org' and 'spauldinghill.org' are twodifferent websites!? We need to help the crawlers out and tell them that the two URLs are the same. We can dothis with a 301 (moved permanently) redirect. The code below will redirect requests for 'spauldinghill.org' to'www.spauldinghill.org.

RewriteEngine On

RewriteCond %{HTTP_HOST} !^www\.spauldinghill\.org

RewriteRule (.*) http://www.spauldinghill.org/$1 [R=301,L]

Turning on Server Side Includes (SSI)

The file paths in this snippet are specific for OS X 10.6.x so if you are running some other kind of Linux basesystem just do a couple of greps in /etc/apache (/etc/httpd on RHEL systems) to find out which files to edit.

Please note that since we like our HTML files to have a .html file extension we enable our server to check everyfile that is executable. Also the 'ServerAdmin' line has a non-valid email on purpose to avoid spam.

First you need to add the include type so Apache knows that .shtml files should be parsed. This should be inyour main Apache configuration file so just search for '.shtml' in the file. The lines are usually commented out, sojust uncomment them:

In the file /private/etc/apache2/httpd.conf

#AddType text/html .shtml

#AddOutputFilter INCLUDES .shtml

just delete the '#'

AddType text/html .shtml

AddOutputFilter INCLUDES .shtml

Now we need our server to check all .html files that are executable to see if there are SSI's to execute. This canbe done by adding the XBitHack option to your VirtualHost context:In the file /private/etc/apache2/extra/httpd-vhosts.conf

ServerAdmin adminspauldinghill.org

DocumentRoot "/Sites/Spauldinghill"

ServerName spauldinghill-stage

ServerAlias spauldinghill-stage

XBitHack On

While we are in the VirtualHost context we need to enable Includes for the directory where all of our HTML fileslive.

ServerAdmin adminspauldinghill.org


22/45

Pg 22 of 45


DocumentRoot "/Sites/Spauldinghill"

ServerName spauldinghill-stage

ServerAlias spauldinghill-stage

XBitHack On

Options +Includes

Now restart apache and see 1998 technology come to life :)

FooBar:~ root# apachectl configtest

Syntax OK

FooBar:~ root# apachectl restart

Nice urls

#

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-dRewriteRule ^(.*)$ $1.php [L,QSA]

# http://domain/about -> http://domain/about.php

# -- or --

#

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

# http://domain/about -> http://domain/index.php?q=about

Ban a user

RewriteEngine onRewriteCond %(HTTP_REFERER) ^http://(www.)?domain_to_ban.com

RewriteRule .* http://www.google.com [L]

Re-route

ServerName www.your-domain.com

ProxyPreserveHost on

ProxyPass /cp http://localhost:5678/cp

ProxyPass /db/ http://localhost:5984/

or

ServerName www.your-domain.com

RewriteRule ^/(cp|db/|static/|www/)(.*)$ http://localhost:5678/$1$2 [P]

Parse HTML files as PHP

URL: http://snippets.dzone.com/posts/show/459

Add this to your .htaccess file in Apache:

AddType application/x-httpd-php .html

End Of Section


23/45

Pg 23 of 45


Section 5Redirecting and Rewriting

"The great thing about mod_rewrite is it gives you all the configurability and flexibility of Sendmail.The downside to mod_rewrite is that it gives you all the configurability and flexibility of Sendmail."

- Brian Behlendorf, Apache Group

One of the more powerful tricks of the .htaccess hacker is the ability to rewrite URLs. This enables usto do some mighty manipulations on our links; useful stuff like transforming Very Long URL's intoShort, Cute URLs, transforming dynamic ?generated=page&URL's into /friendly/flat/links, redirectmissing pages, preventing hot-linking, performing automatic language translation, and much, muchmore.

Make no mistake, mod_rewrite is complex. This isn't the subject for a quick bite-size tech-snack,

probably not even a week-end crash-course, I've seen guys pull off some real cute stuff withmod_rewrite, but with kudos-hat tipped firmly towards that bastard operator from hell, Ralf S.

Engelschall, author of the magic module itself, I have to admit that a great deal of it still seems somuch voodoo to me.

The way that rules can work one minute and then seem not to the next, how browser and other in-between network caches interact with rules and testing rules is often baffling, maddening. When I

feel the need to bend my mind completely out of shape, I mess around with mod_rewrite!

After all this, it does work, and while I'm not planning on taking that week-end crash-course any timesoon, I have picked up a few wee tricks myself, messing around with web servers and web sites, this

place..

The plan here is to just drop some neat stuff, examples, things that have proven useful, and work ona variety of server setups; there are Apache's all over my LAN, I keep coming across old .htaccessfiles stuffed with past rewriting experiments that either worked; and I add them to my list, or faileddismally; and I'm surprised that more often these days, I can see exactly why!

Very little here is my own invention. Even the bits I figured out myself were already well documented,I just hadn't understood the documents, or couldn't find them. Sometimes, just looking at the samething from a different angle can make all the difference, so perhaps this humble stab at URLRewriting might be of some use. I'm writing it for me, of course. but I do get some credit for this..

# time to get dynamic, see..

RewriteRule (.*)\.htm $1.php

beginning rewriting..

Whenever you use mod_rewrite (the part of Apache that does all this magic), you need to do..

you only need to do this once per .htaccess file:Options +FollowSymlinksRewriteEngine on

..before any ReWrite rules. note:+FollowSymLinksmust be enabled for anyrules to work, this is a


24/45

Pg 24 of 45


security requirement of the rewrite engine. Normally it's enabled in the root and you shouldn't haveto add it, but it doesn't hurt to do so, and I'll insert it into all the examples on this page, just in case*.

The next line simply switches on the rewrite engine for that folder. if this directive is in you main

.htaccess file, then the ReWrite engine is theoretically enabled for your entire site, but it's wise toalways add that line before you write any redirections, anywhere.

*Although highly unlikely, your host may have +FollowSymLinks enabled at the root level, yet disallowits addition in .htaccess; in which

case, adding +FollowSymLinks will break your setup (probably a 500 error), so just remove it, and your rules should work fine.

Important: While some of the directives on this page may appear split onto two lines in your browser, in your .htaccess file they mustexistcompletely on one line. If you drag-select and copy the directives on this page, they should paste just fine into any text editor.

simple rewriting

Simply put, Apache scans all incoming URL requests, checks for matches in our .htaccess file and

rewrites those matching URLs to whatever we specify. something like this..

all requests to whatever.htm will be sent to whatever.php:

Options +FollowSymlinksRewriteEngine onRewriteRule ^(.*)\.htm$ $1.php [NC]

Handy for anyone updating a site from static htm (you could use .html, or .htm(.*), .htm?, etc) todynamic php pages; requests to the old pages are automatically rewritten to our new urls. no onenotices a thing, visitors and search engines can access your content either way. leave the rule in; asan added bonus, this enables us to easily split php code and its included html structures into twoseparate files, a nice idea; makes editing and updating a breeze. The [NC] part at the end means "NoCase", or "case-insensitive"; more on the switches, later.

Folks can link to whatever.htm or whatever.php, but they always get whatever.php in their browser,and this works even if whatever.htm doesn't exist! But I'm straying..

As it stands, it's a bit tricky; folks will still have whatever.htm in their browser address bar, and willstill keep bookmarking your old .htm URL's. Search engines, too, will keep on indexing your links as.htm, some have even argued that serving up the same content from two different places could have

youpenalizedby the search engines. This may or not bother you, but if it does, mod_rewrite can do

some more magic..

this will do a "real" external redirection:Options +FollowSymlinksRewriteEngine onRewriteRule ^(.+)\.htm$ http://corz.org/$1.php [R,NC]

This time we instruct mod_rewrite to do a proper external rewrite, aka, "redirection". Now, instead

of just background rewriting on-the-fly, the user's browser is physically redirected to a new URI, andwhatever.php appears in their browser's address bar - search engines and other spidering entities

will automatically update their links to the .php versions; everyone wins. You can take your time withthe updating, too.

Note: if you use [R] alone, it defaults to sending an HTTP "MOVED TEMPORARILY" redirection, aka,

"302". But you can send other codes, like so..

this performs the exact same as the previous example RewriteRule.


25/45

Pg 25 of 45


RewriteRule ^(.+)\.htm$ http://corz.org/$1.php [R=302,NC]

Okay, I sent the exact same code, but I didn't haveto. For details of the many 30* response codes

you can send, see here. Most people seem to want to send 301, aka, "MOVED PERMENENTLY".

Note: if you add an "L" flag to the mix; meaning "Last Rule", e.g. [R=302,NC,L]; Apache will stop

processing rules for this requestat that point, which may or may not be what you want. Either way,it's useful to know.

not-so-simple rewriting ... flat links and more

You may have noticed, the above examples use regular expressionto match variables. What thatsimply means is.. match the part inside (.+) and use it to construct "$1" in the new URL. In other

words, (.+) = $1 you could have multiple (.+) parts and for each, mod_rewrite automatically creates

a matching $1, $2, $3, etc, in your target (aka. 'substitution') URL. This facility enables us to do all

sorts of tricks, and the most common of those, is the creation of "flat links"..

Even a cute short link like http://mysite/grab?file=my.zip is too ugly for some people, and nothing

less than a true old-school solid domain/path/flat/linkwill do. Fortunately, mod_rewrite makes it

easy to convert URLs with query strings and multiple variables into exactly this, something like..

a more complex rewrite rule:

Options +FollowSymlinksRewriteEngine onRewriteRule ^files/([^/]+)/([^/]+).zip /download.php?section=$1&file=$2 [NC]

would allow you to present this link as..

http://mysite/files/games/hoopy.zip

and in the background have that transparently translated, server-side, to..

http://mysite/download.php?section=games&file=hoopy

which some script could process. You see, many search engines simply don't follow our?generated=links, so if you create generating pages, this is useful. However, it's only the dumbsearch engines that can't handle these kinds of links; we have to ask ourselves.. do we really want tobe listed by the dumb search engines? Google will handle a good few parameters in your URL withoutany problems, and the (hungry hungry) msn-bot stops at nothing to get that page, sometimes again

and again and again

I personally feel it's the search engines that should strive to keep up with modern web technologies,in other words; we shouldn't have to dumb-down for them. But that's just my opinion. Many userswill prefer/files/games/hoopy.zip to/download.php?section=games&file=hoopy but I don't mindeither way. As someone pointed out to me recently, presenting links as standard/flat/paths meansyou're less likely to get folks doing typos in typed URL's, so something like..

an even more complex rewrite rule:Options +FollowSymlinksRewriteEngine onRewriteRule ^blog/([0-9]+)-([a-z]+) http://corz.org/blog/index.php?archive=$1-$2 [NC]

would be a neat trick, enabling anyone to access my blog archives by doing..


26/45

Pg 26 of 45


http://corz.org/blog/2003-nov

in their browser, and have it automagically transformed server-side into..

http://corz.org/blog/index.php?archive=2003-nov

which corzblog would understand. It's easy to see that with a little imagination, and a basicunderstanding ofposix regular expression, you can perform some highly cool URL manipulations.

Here's the basics of regexp (expanded from the Apache mod_rewrite documentation)..

Escaping:

\char escape that particular char

For instance to specify special characters.. [].()\ etc.

Text:

. Any single character (on its own = the entire URI)

[chars] Character class: One of following chars

[^chars] Character class: None of following chars

text1|text2 Alternative: text1 or text2 (i.e. "or")

e.g.[^/] matches any character except/

(foo|bar)\.html matches foo.htmlandbar.html

Quantifiers:

? 0 or 1 of the preceding text

* 0 or N of the preceding text (hungry)

+ 1 or N of the preceding text

e.g.(.+)\.html? matches foo.htmandfoo.html

(foo)?bar\.html matchesbar.htmlandfoobar.html

Grouping:

(text) Grouping of text

Either to set the borders of an alternative or

for making backreferences where the nthe group can

be used on the target of a RewriteRule with $n

e.g. ^(.*)\.html foo.php?bar=$1

Anchors:

^ Start of line anchor

$ End of line anchor

An anchor explicitly states that the character right next to it MUST


27/45

Pg 27 of 45


be either the very first character ("^"), or the very last character ("$")

of the URI string to match against the pattern, e.g..

^foo(.*) matches foo and foobar but noteggfoo

(.*)l$ matches fool and cool, but notfoo

shortening URLs

One common use ofmod_rewrite is to shorten URL's. Shorter URL's are easier to remember and, of

course, easier to type. An example..

beware the regular expression:

Options +FollowSymlinksRewriteEngine OnRewriteRule ^grab /public/files/download/download.php

this rule would transform this user's URL..

http://mysite/grab?file=my.zip

server-side, into..

http://mysite/public/files/download/download.php?file=my.zip

which is a wee trick I use for my distro machine, among other things. everyone likes short URL's, andso will you; using this technique, you can move/public/files/download/ to anywhereelse in your site,and all the old links still work fine; simply alter your .htaccess file to reflect the new location. edit one

line, done - nice - means even when stuff is way deep in your site you can have cool links like this../trueview/sample.php /trueview/php/sample.php and this; links which are not only short, but flat..

capturing variables

Slapping (.*) onto the end of the request part of a ReWriteRule is just fine when using a simple

$_GET variable, but sometimes you want to do trickier things, like capturingparticularvariables and

converting them into othervariables in the target URL. Or something else..

When capturing variables, the first thing you need to know about, is the [QSA] flag, which simply

tags all the original variables back onto the end of the target url. This may be all you need, and will

happen automatically for simple rewrites. The second thing, is %{QUERY_STRING}, an Apache serverstring we can capture variables from, using simple RewriteCond (aka. conditional) statements.

RewriteCond is similar to doing if...then...do in many programming languages. Ifa certain

condition is true, thendo the rewrite that follows..

In the following example, the RewriteCond statement checks that the query string has the foo

variable set, and captures its value while it's there. In other words, only requests for /grab that have

the variable foo set, will be rewritten, and while we're at it, we'll also switch foo, for bar, just

because we can..

capturing a $_GET variable:


28/45

Pg 28 of 45


Options +FollowSymlinksRewriteEngine OnRewriteCond %{QUERY_STRING} foo=(.*)RewriteRule ^grab(.*) /page.php?bar=%1

would translate a link/user's request for..

http://domain.com/grab?foo=bar

server-side, into..

http://domain.com/page.php?bar=bar

Which is to say, the user's browser would be fed page.php (without an [R] flag in the RewriteRule,

their address bar would still read /grab?foo=bar). The variable bar would be available to your

script, with its value set to bar. This variable has been magically created, by simply using a regular ?

in the target of the RewriteRule, and tagging on the first captured backreference, %1.. ?bar=%1

Note how we use the % character, to specify variables captured in RewriteCond statements, aka

"Backreferences". This is exactly like using $1 to specify numbered backreferences captured inRewriteRule patterns, except for strings captured inside a RewriteCond statement, we use %

instead of$. Simple.

You can use the [QSA] flag in additionto these query string manipulations, merge them. In the next

example, the value offoo becomes the directoryin the target URL, and the variable file is magically

created. The original query string is then tagged back onto the end of the whole thing..QSA Overkill!Options +FollowSymlinksRewriteEngine On

RewriteCond %{QUERY_STRING} foo=(.+)RewriteRule ^grab/(.*) /%1/index.php?file=$1 [QSA]

So a request for..

http://domain.com/grab/foobar.zip?level=5&foo=bar

is translated, server-side, into..

http://domain.com/bar/index.php?file=foobar.zip&level=5&foo=bar

Depending on your needs, you could even use flat links anddynamic variables together, something

like this could be useful..mixing flat and dynamic links in a single ruleset..

Options +FollowSymlinksRewriteEngine OnRewriteCond %{QUERY_STRING} version=(.+)RewriteRule ^grab/([^/]+)/(.*) /%1/index.php?section=$1&file=$2 [QSA]

By the way, you can easily do the opposite, strip a query string from a URL, by simply putting a ?

right at the end of the target part. This example does exactly that, whilst leaving the actual URIintact..

just a demo!Options +FollowSymlinks

RewriteEngine On


29/45

Pg 29 of 45


RewriteCond %{QUERY_STRING} .RewriteRule foo.php(.*) /foo.php???? [L]

The RewriteCond statement only allows requests that have somethingin their query string, to be

processed by the RewriteRule, or else we'd end up in that hellish place, dread to all mod_rewriters..

the endless loop. RewriteCond is often used like this; as a safety-net.

If all you are after is a /simple/flat/link/ to server-side.php?query=variable translation, use somethinglike this..

a simple flat link with two "path" variables..Options +FollowSymlinksRewriteEngine OnRewriteRule ^/([^/]+)/([^/]+)/? /index.php?first-var=$1&second-var=$2 [QSA]

cooler access denied

In part one I demonstrated a drop-dead simple mechanism for denying access to particular files andfolders. The trouble with this is the way our user gets a 403 "Access Denied" error, which is a bit like

having a door slammed in your face. Fortunately, mod_rewrite comes to the rescue again andenables us to do less painful things. One method I often employ is to redirect the user to the parentfolder..

they go "huh?.. ahhh!"# send them up!Options +FollowSymlinksRewriteEngine onRewriteRule ^(.*)$ ../ [NC]

It works great, though it can be a wee bit tricky with the URLs, and you may prefer to use a harderlocation, which avoids potential issues in indexed directories, where folks can get in a loop..

they go damn! Oh!# send them exactly there!Options +FollowSymlinksRewriteEngine onRewriteRule ^(.*)$ /comms/hardware/router/ [NC]

Sometimes you'll only want to deny access to mostof the files in the directory, but allow access tomaybe one or two files, or file types, easy..deny with style!# users can load only "special.zip", and the css and js files.Options +FollowSymlinksRewriteEngine OnRewriteCond %{REQUEST_FILENAME} !^(.+)\.css$RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$RewriteCond %{REQUEST_FILENAME} !special.zip$

RewriteRule ^(.+)$ /chat/ [NC]

Here we take the whole thing a stage further. Users can access .css (stylesheet) and Javascript fileswithout problem, and also the file called "special.zip", but requests for any other file types areimmediately redirected back up to the main "/chat/" directory. You can add as many types as youneed. You could also bundle the filetypes into one line using | (or) syntax, though individual lines areperhaps clearer.

Here's what's currently cooking inside my /inc/ directory..

all-in-one control..RewriteEngine on

Options +FollowSymlinks# allow access with no restrictions to local machine at 192.168.1.3


30/45

Pg 30 of 45


RewriteCond %{REMOTE_ADDR} !192.168.1.3# allow access to all .css and .js in sub-directories..RewriteCond %{REQUEST_URI} !\.css$RewriteCond %{REQUEST_URI} !\.js$# allow access to the files inside img/, but not a directory listing..RewriteCond %{REQUEST_URI} !img/(.*)\.# allow access to these particular files...

RewriteCond %{REQUEST_URI} !comments.php$RewriteCond %{REQUEST_URI} !corzmail.php$RewriteCond %{REQUEST_URI} !digitrack.php$RewriteCond %{REQUEST_URI} !gd-verify.php$RewriteCond %{REQUEST_URI} !post-dumper.php$RewriteCond %{REQUEST_URI} !print.php$RewriteCond %{REQUEST_URI} !source-dump.php$RewriteCond %{REQUEST_URI} !textview.php$RewriteRule ^(.*)$ / [R,NC,L]

Ban User Agents, referrers, script-kiddies and more..

There are many valid reasons to ban a particular request from sucking up your site's resources;resources that could be better served to valid, interested users. It might be some cross-site attackscript, or inward link from a place you don't want to be associated with, or perhaps a web sucker or

download manager, whatever; .htaccess + mod_rewrite provides ways to protect your content fromunwanted "guests".

The basic formula is standard if-then logic: ifthe request meets a particular CONDITION, thenREWRITE the request. The "conditions" can be many things; perhaps the referrer header sent bytheir browser (the site they came from), or the page they asked for, or a particular query parameter,or the type of client (browser, etc.) they are using, or any other piece of information Apache hasattached to the request. Here's an example which will deny access to "Teleport Pro", a downloadmanager which is known to suck, hard..

Who need's a local copy, when I'm right here?..RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [NC]

RewriteRule . abuse.txt [L]

It's your site, and just like your home, you have every right to exert some control over who gets in.You may have a hugelist of user agents you'd rather not have eating your bandwidth; so use the[OR] flag, and line 'em up..

A little garlic for the net vampires..RewriteCond %{HTTP_USER_AGENT} ^BackWeb [NC,OR]RewriteCond %{HTTP_USER_AGENT} ^Bandit [NC,OR]RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [NC,OR]RewriteCond %{HTTP_USER_AGENT} ^BecomeBot [NC,OR]RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [NC,OR]# etc..RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [NC]RewriteRule . abuse.txt [L]

This forms the basis of what often becomes a HUGE list of ban-lines. Remember, we aren't limited touser agent strings..

Suckers, h4x0rz, kiddies, cross-site scripters and more.. Bye now!# why not come visit me directly?RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]# this prevents stoopid cross-site discovery attacks..RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]# please stop pretending to be the Googlebot..RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]# really, we need a special page for these twats..RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]

# you can probably work these out..


31/45

Pg 31 of 45


RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]# etc..RewriteCond %{HTTP_USER_AGENT} Sucker [NC]RewriteRule . abuse.txt [L]

Fortunately, mod_rewrite can parse enormous lists of ban-lines in milliseconds, so feel free to be asspecific and comprehensive as required.

As ever, thorough testing is strongly recommended. Simply send requests matching yourconditions and see what happens. And importantly; normal requests, too. Firefox, Opera, Konqueror,and most other decent browsers, allow you to alter the user agent string; though you would quicklyfind the process tedious in a testing situation. Far better to use some tool better designed to sendfake HTTP requests..

It's not too difficult to mock up a web request on the command-line with any-old user agent using ascripting language like php or Perl, if you have these things available (read: most

Linux/UNIX/BSD/etc. as well as many other OS). Many examples exist online. In fact, you couldquickly create a suiteof tests, designed to interrogate all your rewrite rules, with results logging andmuch more, if required. cURL is always useful for jobs like this, so long as you don't add a cURL ban-line!

On a Windows desktop, Sam Spade can send a single spoofed request with a couple of clicks, alongwith a stack of similarly handy tricks, and regularly proves itself invaluable.

Don't let just anyonehammer your site!

While I'm on the subject of abusive web clients, you will probably have noticed that many clients

(bots, spiders, automated suckers and such) like to disguise their user agent information, in fact anyinformation, in an attempt to bring your site to its knees, hammering your pages umpteen times persecond in the process. Not good.

If you are interested in a way to defeat hammering web clients regardless of who theypretendto beor whether or not they accept cookies or any such malarkey, protecting your valuable serverresources for genuineclients, check out:Anti-Hammer. It's free.

prevent hot-linking

Believe it or not, there are some webmasters who, rather than coming up with their own content will

stealyours. Really! Even worse, they won't even bother to copy to their own server to serve it up,they'll just link to your content! no, it's true, in fact, it used to be incredibly common. These daysmost people like to prevent this sort of thing, and .htaccess is one of the best ways to do it.

This is one of those directives where the mileage variables are at their limits, but something like thisworks fine for me..

how DARE they!Options +FollowSymlinks# no hot-linkingRewriteEngine OnRewriteCond %{HTTP_REFERER} !^$RewriteCond %{HTTP_REFERER} !^http://(www\.)?corz\.org/ [NC]RewriteCond %{REQUEST_URI} !hotlink\.(gif|png) [NC]

RewriteRule .*\.(gif|jpg|png)$ https://reader009.{domain}/reader009/html5/0502/5ae8aec367551/5ae8aee3804e6.p[NC]


32/45

Pg 32 of 45


href="https://reader009.{domain}/reader009/html5/0502/5ae8aec367551/5ae8aee65c35d.png" title="(opens in a neon peecees) for a new tab instead)"> https://reader009.{domain}/reader009/html5/0502/5ae8aec367551/5ae8aee65

You may see the last line broken into two, but it's all one line (all the directives on this page are).Let's have a wee look at what it does..

We begin by enabling the rewrite engine, as always.

The first RewriteCond line allows directrequests (not fromother pages - an "empty referrer") to passunmolested. The next line means; ifthe browser didsend a referrer header, and the word "corz.org"is not in the domain part of it, then DOrewrite this request.

The all-important final RewriteRule line instructs mod_rewrite to rewrite all matched requests

(anything without "corz.org" in its referrer) asking for gifs, jpegs, or pngs, to an alternative image.

There are loads of ways you can write this rule; Google for "hot-link protection" and get a whole

heap. Simple is best. You could send a wee message instead, or direct them to some evil script, orsomething. Mine is a simple corz.org logo, which Ithink is rather clever. Actually, these days, I do

something even cleverer-er..

lose the "www"

I'm often asked how I prevent the "www" part showing up at my site, so I guess I should addsomething about that. Briefly, if someone types http://www.corz.org/ into their browser (or uses thewww part for any link at corz.org) it is redirected to the plain, rather neat, http://corz.org/ version.This is easyto achieve, like so..

beware the regular expression:Options +FollowSymlinksRewriteEngine onRewriteCond %{http_host} ^www\.corz\.org [NC]RewriteRule ^(.*)$ http://corz.org/$1 [R=301,NC]

You don't need to be touched by genius to see what's going on here. There are other ways you couldwrite this rule, but again, simple is best. Like most of the examples here, the above is pasted directlyfrom my own main .htaccess file, so you can be sure it works perfectly. In fact, I recently updated itso that I could share rules between my dev mirror and live site without any .htaccess editing..

here's what I'm currently using:

Options +FollowSymlinksRewriteEngine on

RewriteCond %{HTTP_HOST} ^www\.(.*) [NC]RewriteRule ^(.*)$ http://%1/$1 [R=301,NC,L]

multiple domains in one root

If you are in the unfortunate position of having your sites living on a host that doesn't support

multiple domains, you may be forced to roll your own with .htaccess and mod_rewrite. So long as

your physical directory structure is well thought-out, this is fairly simple to achieve.

For example, let's say we have two domains, pointing at a single hosted root; domain-one.com and

domain-two.com. In our web server root, we simply create a folder for each domain, perhaps one/,

and two/ then in our main (root) .htaccess, rewrite all incoming requests, like this..


33/45

Pg 33 of 45


All requests NOT already rewritten into these folders, transparently rewrite..

#two domains served from one root..

RewriteCond %{HTTP_HOST} domain-one.com

RewriteCond %{REQUEST_URI} !^/one

RewriteRule ^(.*)$ one/$1 [L]

RewriteCond %{HTTP_HOST} domain-two.com

RewriteCond %{REQUEST_URI} !^two

RewriteRule ^(.*)$ two/$1 [L]

All requests for the host domain-one.com are rewritten (not R=redirected) to the one/ directory, so

long as they haven't already been rewritten there (the second RewriteCond). Same story for

domain-two.com. Note the inconsistency in the RewriteCond statement; !^/dir-name and !^dir-

name should both work fine. But needless to say, if you get a 500 error on your server, that would be

a good place to start looking!

Also note, with such a simple domain & folder naming scheme, you could easily merge these two rule

sets together. This would be unlikely in the real world though, which is why I left them separate; butstill, worth noting.

Other general settings and php directives can also go in this root .htaccess file, though if you have

any further rewrite you'd like to perform; short URL's, htm to php conversion and what-not; it'sprobably easier and clearer to do those inside the sub-directory's .htaccess files.

automatic translation

If you don't read English, or some of your guests don't, here's a neat way to have the wonderful

Google translator provide automatic on-the-fly translation for your site's pages. Something like this..

they simply add their country code to the end of the link, or youdo..Options +FollowSymlinksRewriteEngine onRewriteRule (.*)-fr$ http://www.google.com/translate_c?hl=fr&sl=en&u=http://corz.org/$1 [R,NC]RewriteRule (.*)-de$ http://www.google.com/translate_c?hl=de&sl=en&u=http://corz.org/$1 [R,NC]RewriteRule (.*)-es$ http://www.google.com/translate_c?hl=es&sl=en&u=http://corz.org/$1 [R,NC]RewriteRule (.*)-it$ http://www.google.com/translate_c?hl=it&sl=en&u=http://corz.org/$1 [R,NC]RewriteRule (.*)-pt$ http://www.google.com/translate_c?hl=pt&sl=en&u=http://corz.org/$1 [R,NC]

You can create your menu with its flags or whatever you like, and add the country code to end of the

links..


34/45

Pg 34 of 45


Another thing you might like to try; rather than individual country flags; fr, de, etc., use the "u" flag,for "Universal". In theory, Google will check the client's location, and automatically translate to thatlanguage. One line in your .htaccess would cover all languages, and automatically cover new ones asGoogle adds them.

While I'm here, slightly related; you can do a similar thing browser-side, create a "bookmarklet" (a

regular bookmark, except that it "does something"), using this code for the location..the same sort of thing, except browser-side..

javascript:void(location.href='http://translate.google.com/translate?u='+location.href)

..which you will instinctively learn to click at the merest whiff of unrecognizable text, I reckon. Put itin your toolbar somewhere visible, is my sincere recommendation.

httpd.conf

Remember, if you put these rules in the main server conf file (usually httpd.conf) rather than an

.htaccess file, you'll need to use ^/... ... instead of^... ... at the beginning of the RewriteRule line, inother words, add a slash.

inheritance..

If you are creating rules in sub-folders of your site, you need to read this.

You'll remember how rules in top folders apply to all the folders insidethose folders too. we call this"inheritance". normally this just works. but if you start creating other rules inside subfolders you will,in effect, obliterate the rules already applying to that folder due to inheritance, or "decendancy", ifyou prefer. not allthe rules,just the ones applying to that subfolder. a wee demonstration..

Let's say I have a rule in my main /.htaccess which redirected requests for files ending .htm to their

.php equivalent, just like the example at the top of this very page. now, if for any reason I

Documents

Apache Htaccess Referance - Jan Zumwalt