The ULTIMATE Guide to .htaccess

[Admin]

Preventing Viewing Of Your .htaccess File

If you use htaccess for password protection, then the location containing all of your password information is plainly available through the htaccess file. If you have set incorrect permissions or if your server is not as secure as it could be, a browser has the potential to view an htaccess file through a standard web interface and thus compromise your site/server. This, of course, would be a bad thing. However, it is possible to prevent an htaccess file from being viewed in this manner:

Code:

<Files .htaccess>
order allow,deny
deny from all
</Files>

If you use this in your htaccess file, a person trying to see that file would get returned (under most server configurations) a 403 error code. You can also set permissions for your htaccess file via CHMOD, which would also prevent this from happening, as an added measure of security: 644 or RW-R--R--

[Admin]

Setting MIME Types

What if your server wasn't set up to deliver certain file types properly? A common occurrence with MP3 or even SWF files. Simple enough to fix:

Code:

AddType application/x-shockwave-flash swf

AddType is specifying that you are adding a MIME type. The application string is the actual parameter of the MIME you are adding, and the final little bit is the default extension for the MIME type you just added, in our example this is swf for ShockWave File.

By the way, here's a neat little trick that few know about, to force a file to be downloaded, via the Save As browser feature, you can simply set a MIME type to application/octet-stream and that immediately prompts you for the download.

[Admin]

Preventing Hotlinking of your Images & Files

In the webmaster community, "hot linking" is a curse phrase. Also known as "bandwidth stealing" by the angry site owner, it refers to linking directly to non-html objects not on one own's server, such as images, .js files etc. The victim's server in this case is robbed of bandwidth (and in turn money) as the violator enjoys showing content without having to pay for its deliverance. The most common practice of hot linking pertains to another site's images.

Using .htaccess, you can disallow hot linking on your server, so those attempting to link to an image or CSS file on your site, for example, is either blocked (failed request, such as a broken image) or served a different content (ie: an image of an angry man) . Note that mod_rewrite needs to be enabled on your server in order for this aspect of .htaccess to work. Inquire your web host regarding this.

With all the pieces in place, here's how to disable hot linking of certain file types on your site, in the case below, images, JavaScript (js) and CSS (css) files on your site. Simply add the below code to your .htaccess file, and upload the file either to your root directory, or a particular subdirectory to localize the effect to just one section of your site:

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]

Be sure to replace "mydomain.com" with your own. The above code creates a failed request when hot linking of the specified file types occurs. In the case of images, a broken image is shown instead.

Serving Alternate Content When Hotlinking is Detected

You can set up your .htaccess file to actually serve up different content when hot linking occurs. This is more commonly done with images, such as serving up a very rude image in place of the hot linked one. The code for this is:

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mydomain.com/angryman.gif [R,L]

Same deal- replace mydomain.com with your own, plus angryman.gif.
Time to pour a bucket of cold water on hot linking!

[Admin]

Prevent Listing Directory Content

Do you have a directory full of images or zips that you do not want people to be able to browse through? Typically a server is setup to prevent directory listing, but sometimes they are not. If not, become self-sufficient and fix it yourself:

Code:

IndexIgnore *

The * is a wildcard that matches all files, so if you stick that line into an htaccess file in your images directory, nothing in that directory will be allowed to be listed.

On the other hand, what if you did want the directory contents to be listed, but only if they were HTML pages and not images? Simple says I:

Code:

IndexIgnore *.gif *.jpg

This would return a list of all files not ending in .jpg or .gif, but would still list .txt, .html, etc.

And conversely, if your server is setup to prevent directory listing, but you want to list the directories by default, you could simply throw this into an htaccess file the directory you want displayed:

Code:

Options +Indexes

If you do use this option, be very careful that you do not put any unintentional or compromising files in this directory. And if you guessed it by the plus sign before Indexes, you can throw in a minus sign (Options -Indexes) to prevent directory listing entirely--this is typical of most server setups and is usually configured elsewhere in the apache server, but can be overridden through htaccess.

If you really want to be tricky, using the +Indexes option, you can include a default description for the directory listing that is displayed when you use it by placing a file called HEADER in the same directory. The contents of this file will be printed out before the list of directory contents is listed. You can also specify a footer, though it is called README, by placing it in the same directory as the HEADER. The README file is printed out after the directory listing is printed.

[Admin]

Conclusion & More Information

Of course, I can't list every possible use of htaccess here, just the more notable and useful ones (read: for fun and profit). There is a list of Apache Directives you can use for your htaccess files, though not all of them are designed to be used by htaccess. Consult the documentation for the directive you are looking to use and make sure that you can actually use it as an htaccess string.


You should also go through the Apache User's Guide for more detailed information if you are really serious about making your life easier as a webmaster. You don't need to update all 4,000 of the pages on your site individually, by hand, in order to change one file reference...honestly!

In any event, I hope you got a better idea of the power available to you through this relatively simple little Clark Kent-ish file. You really do have the ability to save yourself a lot of time and grief by using htaccess, especially when you add to that the power of SSI and xSSI.

Happy htaccessing!

[Admin]

You can stop certain servers or sites from hotlinking your files by editing the .htaccess file in your site's root directory. Displaying different content for specific sites is quite beneficial, you may have images hotlinked on good domains that you wish them to display but have sites illegally Hotlinking to your content that you don't want them to use.

Another reason may be a certain site is using excessive amounts of your bandwidth, such as MySpace users linking to your images. So you can serve these users either a lower quality image that's smaller in size, or a "Please Don't Hotlink" image.

There's no point blocking all outsite domains because of a few bad apples, so we can allow all except specific URL's we list.

Example: To stop hotlinking images from "badsite.com" and display an image called "nohotlink" instead, use this code in your .htaccess file:

Quote:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?badsite.com/ [NC]
RewriteRule .(jpe?g|gif|bmp|png)$ images/nohotlink.$1 [NC,L]

Line 1 "RewriteEngine On" tells Apache it's got some directives to follow.

Line 2 Tells Apache to act when your site is being accessed from either http://badsite.com or www.badsite.com and the [NC] says hey "No Case" or not case sensitive.

Line 3 says if Badsite.com requests a JPG, GIF, BMP or PNG file we should serve them nohotlink in your images folder.

Now, you'll notice it's written as nohotlink.$1 which means if they request whatever.jpg they will be served /images/nohotlink.jpg or if they request anything.gif they will be served /images/nohotlink.gif

Why like this? Well it's not real effective serving an alternate Filetype such as the remote server requests a .gif and you try and serve a .jpg

So doing it this way is 100% effective, however it means you will need to create a "nohotlink" image in JPG, GIF, BMP and PNG filetypes and store them in your images folder.

This directive not only works with images, it works for other file types such as CSS, Zip, Rar etc. You will just need to add the Filetype to line 4. So if we wanted to do Images and Zip files we would just alter it to:

(png|zip|gif|bmp|jpe?g)

And when your Zip files are hotlinked from the bad domain, they will receive in this case the yourdomain.com/images/nohotlink.zip

What you can do here is, open Notepad and write a simple message such as "Unfortunately this file was Hotlinked from my site, however if you would like to download it come visit us at YourDomain.com"

Save the text file as "download-info.txt" or something similar, Zip it and upload it to your site with the name nohotlink.zip

Now whenever any Zip files from your site are downloaded from Bad Domains hotlinks, their users will most likely come to your site giving you back the traffic you deserve and you might get some regular visitors out of it who Bookmark your site.

The whole thing will only cost you a lousy 4kb or so of bandwidth, and provide you with some great advertising. That will teach Bad Site to Hotlink

Blocking Multiple Domains

Ok, what if i've got a couple of Bad Domains i want to stop Hotlinking?

If you still want good sites to be able to Hotlink content, however we have a couple of bad domains we want to serve different content to the solution is easy and very similar to the above. If we have Badsite.com and Evilsite.com who are leeching our content we simply do the following:

Quote:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www.)?badsite.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www.)?evilsite.com/ [NC]
RewriteRule \.(png|zip|gif|jpe?g)$ images/nohotlink.$1 [NC,L]

This is similar to the single site example, the ,OR] section just tells Apache to check if the remote link is coming from Badsite.com "or" Evilsite.com and if either is requesting a file remotely to serve the "nohotlink" alternative. If the remote site is neither, Apache will serve the original content.

Simple huh?

If you want to add several sites, just copy the badsite.com line so every line has the [NC,OR] and the final Badsite line just has the [NC] enter.

To allow hotlinking images only if the REFERER is from a specific directory from your domain:

Quote:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?example.com/dir/ [NC
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .(jpe?g|gif|bmp|png)$ images/nohotlink.jpg [L]

To stop hotlinking images from specific outside domains only, named badsite.net and badsite.com:

Quote:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www.)?badsite.net/ [NC,OR
RewriteCond %{HTTP_REFERER} ^http://(www.)?badsite.com/ [NC
RewriteRule .(jpe?g|gif|bmp|png)$ images/nohotlink.jpg [L]

Stop Sites Scraping your RSS Feed

Alot of people have been asking how to stop people scraping their RSS feeds. Well you can do a neat trick with .htaccess to do just that. This won't stop people en masse, but once you have identified a site scraping your feed you can redirect their request elsewhere to nip it in the bud.

First you need to go to command prompt on your PC and type: ping rssthief.com

Obviously replace rssthief.com with their domain name, and the IP will be output so jot it down. Next add the following rule to your .htaccess file.

Quote:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^123.123.123.123
RewriteRule ^(.*)$ http://rssthief.com/feed

Replace the 123.123.123.123 with their sites IP you got from command prompt. Now one sneaky move you can pull is add the Rss Thiefs own feed URL to the second line.

What this will do is, each time their IP pulls a request for your feed your server will redirect their request to their own feed which will pull content they have already published from their own blog and repost it resulting in them publishing their own duplicate content.

Yeah i know sneaky but hey! You could also add the feed of a porn site to the last line (with the owners permission of course) which will throw adult content on the RSS Thiefs site.. Not a good look if they are running a blog on non-fiction books.

Inserting Hidden Images in Content

You can also utilize the hotlink method i mentioned above with images. Here is what you do:

You can either manually paste a small 1x1 transparent gif in to the bottom of your blog post each time you make an entry, or you can edit your Wordpress template (single.php) to include the image in every post but make sure to have the full image URL like:

www.yourdomain.com/trap.png

Now when the RSS thief scrapes your feed, he will republish your trap. You can see external sites hotlinking your images in stats tools like Awstats in cPanel. They are easy to spot under "Links from External Sites", you will see many hits from these sites for your trap.png, but no or low pageload because the image represents a "hit" because it's loaded every time someone loads the thiefs page.

Now you can use the .htaccess trick i explained above once you identify the theifs domain and serve up a dirty big "I AM a THEIF THIS POST WAS STOLEN FROM YourDomain.com" instead.

The good thing about this is it doesn't change the tiny 1x1 pixel image on your site, or sites you may allow to syndicate your content. You can selectively serve up the stolen image on a per domain basic.

Google Alerts for your Site

Another thing you can do to save "hunting" for these content thieves is setup a Google Alert at www.google.com/alerts

Now it would be a pain having to setup an alert for each bit of content you write. Well same thing again, you can edit your single.php Wordpress template and insert a signature in every post, something like "Post Courtesy of YourDomain.com"

Then in Google alerts you paste in that phrase in quotes, and every time Google encounters that exact string of text somewhere on the web you get a handy email letting you know the URL.

This should help in blocking sites in .htaccess

Enjoy!

[Admin]

Redirect 404 pages to homepage

It's a good idea to have a custom 404 page with a site map, however some people may prefer to redirect all 404 error pages to their sites home page. If so place the below code in your .htaccess file, and don't forget to change site.com to your actual URL.

Quote:

RewriteEngine on
RewriteCond %{REQUST_FILENAME} !-f
RewriteCond %{REQUST_FILENAME} !-d
RewriteRule .+ http://www.site.com [L,R=301]

Enforce Trailing Slash with .htaccess

Apache can see a URL with and without a trailing slash as two different pages, this can cause canonical problems as the two URLs will be viewed by Google as seperate pages having duplicate content. So the following rule will rewrite

domain.com/my-great-page

to

domain.com/my-great-page/

Quote:

# Force Trailing Slash
RewriteCond %{REQUEST_URI} ^/[^.]+[^/]$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1/ [R=301,L]

If you use WordPress, just make sure the rule is before the WordPress rewrites.

How to Redirect all pages to the home page:

This redirect will redirect every page request to your homepage, for example if someone visits yoursite.com/somepage.html they will be redirected to just yoursite.com

Quote:

RewriteEngine On

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) http://www.%{HTTP_HOST}/$1 [R=301,L]

RewriteRule \/.+ / [L,R]