.htaccess in Detail
What is .htacces file?
.htaccess are files (or “distributed configuration files”) which provide a way to make configuration changes on a per-directory basis.
With the use of .htaccess file we can acheive the below tasks.
make password product, redirect, script enable, index listing, index file.
Is it safe?
There are two main reasons to avoid the use of .htaccess files.
The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, Apache will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.
Further note that Apache must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. (See section on how directives are applied.) Thus, if a file is requested out of a directory /www/htdocs/example, Apache must look for the following files:
/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess
And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present. (Note that this would only be the case if .htaccess files were enabled for /, which is not usually the case.)
The second consideration is one of security. You are permitting users to modify server configuration, which may result in changes over which you have no control. Carefully consider whether you want to give your users this privilege. Note also that giving users less privileges than they need will lead to additional technical support requests. Make sure you clearly tell your users what level of privileges you have given them. Specifying exactly what you have set AllowOverride to, and pointing them to the relevant documentation, will save yourself a lot of confusion later.
To enable .htaccess, change the AllowOverride option in the apache conf file accordingly
AllowOverride All
Instead of All we can give Options FileInfo, AuthConfig, Limit and None
The default filename is .htaccess. If we want to change change in the apache httpd.conf file as below.
AccessFileName .config
If you changed the above settings .htaccess enabled. So now place a file with name .htaccess (or any given name) in the web server root directory.
Before processing that directory apache will look for a file named .htaccess there before doing any processing. If parent directory and sub directory contains same configuration info for sub directory sub directory configuration will be taken.
Useful commands
If file not found error occurred in the directory we can set the default error page to something.
ErrorDocument 404 /404.html
As mentioned above we can apply the same concept for other error codes also. For example 500 for internal server error, 403 for access denied.
To disable directory indexes inside the directory add below line to .htaccess file
Options -Indexes
To allow particulat ip address add below code
allow from 192.168.5.26
[ Range can also possible like 000.000.000.000,192.168.000.000 ]
To deny particular ip address
deny from 192.168.5.26
[ Range can also possible like 000.000.000.000,192.168.000.000 ]
To deny from all
deny from all
To specify index file for each folder
DirectoryIndex index.html index.jsp index.php
Apache will look from left to right, So if index.html not found it will look for index.jsp then index.php
Also we can redirect a particular directory or particular file to another path/file in the same server or on any other server. See below
To Redirect file/path
Redirect /path/file /newpath/file
Redirect /file http://www.google.com
While doing redirect the additional info in the path will be kept as it is. For example after Redirect /test http://www.google.com/test if we type www.oldurl.com/test/filepath/file.png it will go to www.google.com/test/filepath/file.png
To protect a directory with password add below code
AuthName "Name to display while prompting password" AuthType Basic AuthUserFile "/full/path/to/.htpasswd" Require valid-user
To add the password and user details to .htpasswd file use the htpasswd command as below.
htpasswd -mc /full/path/to/.htpasswd username
To access the path via script directly with password try with http://rajesh:rajesh123@localhost/test
Find the options available with htpasswd command to create password below.
htpasswd [ -c ] [ -m ] [ -D ] passwdfile username htpasswd -b [ -c ] [ -m | -d | -p | -s ] [ -D ] passwdfile username password htpasswd -n [ -m | -d | -s | -p ] username htpasswd -nb [ -m | -d | -s | -p ] username password
-b Use batch mode; i.e., get the password from the command line rather than prompting for it. This option should be used with extreme care, since the password is clearly visible on the command line.
-c Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.
-n Display the results on standard output rather than updating a file. This is useful for generating password records acceptable to Apache for inclusion in non-text data stores. This option changes the syntax of the command line, since the passwdfile argument (usually the first one) is omitted. It cannot be combined with the -c option.
-m Use MD5 encryption for passwords. This is the default (since version 2.2.18).
-d Use crypt() encryption for passwords. This is not supported by the httpd server on Windows and Netware and TPF. This algorithm limits the password length to 8 characters. This algorithm is insecure by today’s standards. It used to be the default algorithm until version 2.2.17.
-s Use SHA encryption for passwords. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif).
-p Use plaintext passwords. Though htpasswd will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows, Netware and TPF.
-D Delete user. If the username exists in the specified htpasswd file, it will be deleted.
passwdfile Name of the file to contain the user name and password. If -c is given, this file is created if it does not already exist, or rewritten and truncated if it does exist.
username The username to create or update in passwdfile. If username does not exist in this file, an entry is added. If it does exist, the password is changed.
password The plaintext password to be encrypted and stored in the file. Only used with the -b flag.