In this tutorial you will learn about htaccess, what it can do and how it can improve your website. Creating the htaccess file is very easy. You can do it with notepad or any other flat text editor.

In just three easy steps:

1) Save it as .txt document.
2) Upload it in ASCII(text) mode to the server.
3) Rename it to .htaccess.

Understand how htaccess affects directories.

Where ever the htaccess file is placed it affects the directory. When it is at the root of your site than it becomes a global effect affecting all directories and files below.

Advice:

Make sure word wrap is disabled when creating the htaccess file.
Be sure that you upload the htaccess file in ASCII (text) mode.
If something is done wrong you'll know because htaccess simply won't work.
Be aware that it is possible to cause an infinite loop of redirects or errors if you place something strange in the htaccess file.(dealing with error documents)
When using Microsoft FrontPage extensions you shouldn't edit the htaccess.(not recommended) If you do want to edit it download the htaccess file from your server first and then add your code to the beginning.

What can you do with htaccess?

Table of Contents:

Custom error pages
Preventing a directory from being listed
Password protection
Deny users by IP
Change your default directory page
Prevent viewing of htaccess
Redirects
Adding MIME types
Preventing hot linking of your images

Below is a list of the server returned error codes that are most seen by users.

400 - Bad Request, which is one of those generic kind of errors that people get to by doing some weird stuff with your URL or scripts.
401 - Authorization Required (as in when somebody tries to enter a protected area of your site without the proper credentials)
403 - Forbidden (as in when a file with permissions not allowing it to be accessed by the user is requested)
404 - Handle requests for pages that are not found.
500 - Internal server errors in any scripts you have currently running.

In order to specify your own customized error documents, you simply need to add the following commands, on one line, within your htaccess file:

ErrorDocument 404 /errors/notfound.html

You can name the pages anything you want and you can place the error pages anywhere you want within your site, so long as they are web-accessible (through a URL). The initial slash in the directory location represents the root directory of your site, that being where your default page for your first-level domain is located. If you were to use an error document handler for each of the error codes I mentioned, the htaccess file would look like the following (note each command is on its own line):

ErrorDocument 400 /errors/badrequest.html
ErrorDocument 401 /errors/authreqd.html
ErrorDocument 403 /errors/forbid.html
ErrorDocument 404 /errors/notfound.html
ErrorDocument 500 /errors/serverr.html

You can specify a full URL rather than a virtual URL in the ErrorDocument string (http://yoursite.com/errors/notfound.html vs. /errors/notfound.html). But this may not be the preferred method by the server's happiness standards.

You can also specify HTML with your error documents.

ErrorDocument 401 "<body bgcolor=#ffffff><h1> You have to actually <b>BE</b> a <a href="#">member</A> to view this page!

Try including your own graphics in the error documents page. For example on notfound.html , try including a header and footer.

Back to the table of contents

Do you have a directory full of images or zips that you do not want people to be able to browse through? Typically a server is setup to prevent directory listing, but sometimes they are not. If your server is not, you will have to become self-sufficient and fix the problem with htaccess:

IndexIgnore *

The * is a wildcard that matches all files
Place that line into an htaccess file in your images directory and nothing in that directory will be able to be listed.

What if you wanted the directory contents to be listed, but only the HTML pages and not the images?

IndexIgnore *.gif *.jpg

This would return a list of all the files except those specified in the above example.

If your server is setup to prevent directory listing and you want your directories to be listed then you could simply put this into the htaccess file:

Options +Indexes

If you do use this option, be very careful that you do not put any unintentional or compromising files in this directory. You can put in a minus sign (Options -Indexes) to prevent directory listing entirely. This is typical of most server setups and is usually configured elsewhere in the apache server, but can be overridden through the use of htaccess.

Back to the table of contents

Ever wanted a specific directory in your site to be password protected?

There are numerous methods to password protecting areas of your site with some server language based (such as ASP, PHP or PERL) and client side based, such as JavaScript. JavaScript is not as secure or foolproof as a server-side option. A server side challenge/response is always more secure than a client dependant challenge/response. Htaccess is about as secure as you can or need to get in everyday life.

The first thing you will need to do is create the htaccess file.

Please make sure you visit the links below pertaining to the type of account you have with us. The instructions on how to create the htaccess file are there.
You will need to visit these pages in order to get the encrypted password that you will use with the htpasswd file.

When you ordered a shared hosting package you selected a specific plan from the ones that we offer. They are listed on our site with a letter next to them: 1U, 2U, 3U, 4U, 3R, 4R. The U stands for Unix, the R stands for Cobalt RaQ.

If you have a unix account with us and signed up for a shared hosting account on September 5 2001 or later, visit this page.
Cobalt RaQ accounts must visit this page.
If you signed up before September 5 and your account is hosted on a FreeBSD server, visit this page..

Htaccess will work for your plan, its just a matter of knowing which above link to follow. If you tried the password protect tutorial and it doesn't seem to want to work then contact support@tera-byte.com. Please ask support which plan you are and include your domain so that we can better assist you.

Back to the table of contents

Add the following to the .htaccess file:

<Limit GET>
order allow,deny
deny from 128.23.45.
deny from 207.158.255.213
allow from all
</Limit>

This is an example of a .htaccess file that will block access to your site to anyone who is coming from any IP address beginning with 128.23.45 and from the specific IP address 207.158.255.213 . By specifying only part of an IP address, and ending the partial IP address with a period, all sub-addresses coming from the specified IP address block will be blocked. You must use the IP addresses to block access, use of domain names is not supported. To deny all IP addresses from your site use:

<Limit GET>
order allow,deny
deny from all
</Limit>

You can deny access based upon IP address or an IP block. The above blocks access to the site from 123.45.6.7, and from any sub domain under the IP block 012.34.5. (012.34.5.1, 012.34.5.2, 012.34.5.3, etc.). You can also deny/allow by domain name (allow from .mysite.com works for www.mysite.com or virtual.mysite.com, etc.)

Back to the table of contents

Some of you may be wondering what is DirectoryIndex? It is a command which allows you to specify a file that is to be loaded as your default page whenever a directory or url request comes in, that does not specify a specific page.

DirectoryIndex filename.html

This would cause filename.html to be treated as your default page, or default directory page. You can also append other filenames to it. You may want to have certain directories use a script as a default page.

DirectoryIndex filename.html index.cgi index.pl default.htm

Placing the above command in your htaccess file will cause this to happen:
When a user types in yoursite.com, your site will look for filename.html in your root directory (or any directory if you specify this in the global htaccess), and if it finds it, it will load that page as the default page. If it does not find filename.html, it will then look for index.cgi; if it finds that one, it will load it, if not, it will look for index.pl and the whole process repeats until it finds a file it can use. Basically, the list of files is read from left to right.

Back to the table of contents

If you use htaccess for password protection, then the location containing all of your password information is plainly available through the htaccess file. If you have set incorrect permissions or if your server is not as secure as it could be, a browser has the potential to view an htaccess file through a standard web interface and thus compromise your site/server. This, of course, would be a bad thing. However, it is possible to prevent an htaccess file from being viewed in this manner:

order allow,deny
deny from all

The first line specifies that the file named .htaccess is having this rule applied to it. You could use this for other purposes as well if you get creative enough. If you use this in your htaccess file, a person trying to see that file would get returned (under most server configurations) a 403 error code. You can also set permissions for your htaccess file via CHMOD, which would also prevent this from happening, as an added measure of security: 644 or RW-R--R--

Back to the table of contents

Ever go through the nightmare of changing significantly portions of your site, then having to deal with the problem of people finding their way from the old pages to the new? There are different ways of redirecting pages, through http-equiv, javascript or any of the server-side languages. You can do it through htaccess, which is probably the most effective, considering the minimal amount of work required to do it.

Htaccess uses redirect to look for any request for a specific page and if it finds that request, it forwards it to a new page you have specified:

Redirect /olddirectory/oldfile.html http://yoursite.com/newdirectory/newfile.html

Note that there are 3 parts to that, which should all be on one line.

The redirect command.
The location of the file/directory you want redirected relative to the root of your site (/olddirectory/oldfile.html = yoursite.com/olddirectory/oldfile.html)
The full URL of the location you want that request sent to.

Each of the 3 is separated by a single space, but all on one line. You can also redirect an entire directory by simple using:

Redirect /olddirectory/ http://yoursite.com/newdirectory/

Using this method, you can redirect any number of pages no matter what you do to your directory structure. It is the fastest method as a global affect.

Back to the table of contents

What are MIME Types?

MIME stands for Multipurpose Internet Mail Extensions. It extends the power of web browsers to handle graphics, sound and multimedia. MIME is also used for binary email attachments. Browsers recognize MIME types in categories and file types, separated by a slash (such as image/gif). If you've registered a MIME type, the browser decodes the file and launches a helper application. What if your server wasn't set up to deliver certain file types properly? A common occurrence with MP3 or even SWF files. Simple enough to fix with htaccess:

To do this you must first understand the three parts of adding a MIME type. The first part is the AddType. This tells the server that you are adding a MIME type. Second is the application string. This is the actual parameter of the MIME you are adding (the MIME type). The final part is the default extension for the MIME type you want to add.

AddType mime-type ext

Save the .htaccess file and store all "file_name.ext" files in the same directory. Then, all files in the directory that end in .ext (those extensions you have added) will be mapped into mime-type and handled properly by the server. Please note that you do NOT include a period (.) before the extension. You can list several extensions separated by blanks. For example, if you wanted to store and serve Lotus 1-2-3 files with the extensions wks, wk1, wk2, wk3, and wk4, you should type:

AddType application/lotus123 wks wk1 wk2 wk3 wk4

By the way, here's a neat little trick that few know about. To force a file to be downloaded, via the Save As browser feature, you can simply set a MIME type to application/octet-stream and that immediately prompts you for the download.

Back to the table of contents

In the webmaster community, "hot linking" is a curse phrase. Also known as "bandwidth stealing". It refers to linking directly to non-html objects not on one own's server, such as images, .js files etc. The victim's server in this case is robbed of bandwidth (and in turn money) as the violator enjoys showing content without having to pay for its deliverance. The most common practice of hot linking pertains to another site's images.

How can I prevent people from hotlinking to my images?

The best way to stop hot linking is to have your images placed in a seperate folder (not the same folder as your html files) and put a .htaccess file in it. Each folder should also have a blank index.html file to prevent people from seeing your directory listing.

In order for the method below to work, the browser that requests the page must return the URL of the page, called the "HTTP_REFERER". Checking the HTTP_REFERER will slow down the server somewhat so you should only do this if people hotlinking your images is a problem.

Copy this text below, make the changes to show your domain info, and paste it into notepad. Name this file .htaccess and place it in all your image folders. Be sure to upload in ASCII mode or the .htaccess file will not work.

Options All
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]

Be sure to replace "mydomain.com" with your own. The above code causes a broken image to be displayed when its hot linked. You can have an image display for those who try to hot link. You can have an image of your choice be displayed for those attempting to steal bandwidth. The code for this is:

Options All
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mydomain.com/notallowed.gif [R,L]

The first line allows the "RewriteRule" directive to be used (only needed on some servers).
The next line tells Apache to turn on the MOD Rewite.
The next two lines you change to your address (either with, and without the www. as well as your IP).
The last line is where you would like the link from the site trying to download from their pages to be redirected. This way if some one links directly to your "coolpicture.jpg" from their website, instead of seeing your cool picture the user will see a picture that you decide to show. Make the picture be something the user will not want to see and get the message across that he is a bandwidth stealer. After the user sees that the "hot linking" isn't working, the user will change his links.

In order to have it work for you:

replace mydomain.com with your own domain
replace the notallowed.gif with the image you want them to see.

Back to the table of contents

To head back to the tutorials section click here.