 |
|
htaccess
Apache, like any other software, has configuration files. Your host edits these "global"
configuration files to serve as a default for all of the sites hosted on the server.
The .htaccess file (pronounced "h t access") acts as a "local" configuration file so
that individual Websites can customize the configuration to suit their needs.
The .htaccess files have the same directory limitation capabilities that are available
from the configuration files, but are set up in a way that permits direct access to
configuration by the person maintaining the directory, and doesn't require server
restart to upgrade or modify the security of the directory.
In other words, you can control your files in a way that effectively gives you control
of the server where your files are concerned, even though you don't have access to the server
confiigurations.
The .htaccess file is an ordinary text file that is usually created using telnet.
Because some hosts do not allow telnet, we have included instructions for Notepad or any
text editor and FTPing it into your Web directory. This file will contain the
configuration statements (commands) to customize the Apache Web server software for
your Website.
Notice that the file name starts with a period. This is to indicate to the Linux/Unix
operating system that it is a "system file" that is used by a server application, not
by a user of the system (such as an html file would be). However, with Windows, the
period denotes a separator between a file's name and its' "extension". As a result,
if you try and create a .htaccess file in Windows, it won't have a name. To get around
this, create a file called htaccess.txt, ftp that to the server, and then rename it to
.htaccess once it's there.
If you don't see it in your FTP program, check your
ftp program settings to make sure you have it set to (Show All Files).
With some versions of WS_FTP it's the "Show full directory information" check-box under the "Advanced"
tab in the Options window. If, after setting this option, you still don't see the file,
it's because the server is set not to show these files. It should still work though,
provided your host supports the use of htaccess files.
The most common uses are:
Deny access to certain IP's
Change your default page
Redirect a visitor to another page
Professional Error Page
SSI Without .shtml extension
Stop bandwidth theft from linking to downloads
Trap Pesky Spambots
Stop bandwidth theft from linking to images
Password protect a file or directory
The .htaccess file generally lives in the directory that will be affected.
The .htpasswd and .htgroup files can live in any location within the server.
The full Unix pathname is required to define the file and its location.
NOTE that the .htaccess files that reside in your public_html directory can be viewed through the web browser,
so you will need to know how to prevent access to the .htaccess file by disabling access to that particular filename.
Adding the following lines to your .htaccess file in the public_html directory will deny visitors from
viewing all .htaccess files contained in your website:
<Files .htaccess>
order allow,deny
deny from all
</Files>
|
Here is an example of the contents of an .htaccess file.
AuthUserFile /dir/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
require user webmaster
|
In this example of allowing and Disallowing Domains, we have no need for the password and
the group files. In addition, we will be using the basic method. So our .htaccess
file would start with:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AllowLocalAccess
AuthType Basic
|
Note that we have set the password and the group files to /dev/null.
This has been done to ensure that there is no chance of picking up some stray or unnecessary file.
order deny,allow
deny from all
allow from .localdomain.com
|
Here we have effectively limited access to the directory by stating that the user can
only do GETs and POSTs if we permit that from their domain.
The first thing we do is deny everyone access to GET and POST; this is the default state.
We use the keyword all to make the default cover anyone we don't wish to have access.
Then, we use the allow directive for domains to which we want to allow access.
Note that we prefix the domain with a period character. That means that any subdomain within that domain
can access the directory.
The allow and deny directives are permitted to have multiple hosts on the allow and deny lines.
The following line in the file above would have allowed people from .localdomain.com and .otherlocal.com to access the private directory.
allow from .localdomain.com .otherlocal.com
You can further enhance the limitations by using the require directive, as in these examples:
require user joe
require group authors
require valid-user joe
|
The require user directive states that, even if a person is permitted by the allow
directive, their user name still must be in the permitted users file (.htpasswd).
The require user form of the directive means that the person's user name must be in
the group file if the keyword is group. And, if the keyword is valid-user, the user
must enter their name and password to validate that they are permitted into the directory.
By default, the user must satisfy all the given directives.
The file can also contain the directive satisfy. The satisfy directive is used to allow any
require directive to be satisfied, and then all directives will be satisfied.
Again, the default is the keyword all, so it is not required. This is used to open the security up a tad,
rather than keeping it tightly closed.
Now that you have a general idea of some commands, scroll down for more tricks.
For quick "Copy and paste" password protection, see Password protect a file or directory
This code will block 123.456.789.0 IP and all others that are starting with 128.45.67.
Everybody else will be able to access your site.
You can block as many addresses as you want, but that kind of defeats the purpose of having a web site in the first place.
<Limit GET>
order allow,deny
deny from 123.456.789.0
deny from 123.45.67
allow from all
</Limit>
|
If your website is called company.com and there was a request for http://www.company.com/, the system
will return a file. The file that this returns is called the default file. When the server
sees the URL above, the server checks to see what the default file is supposed to be, and
it will return that file to the user. In most systems the default file is called index.html.
DirectoryIndex products.html
|
This file, placed the the directory "steel" containing "products.html" will bring visitors to that page.
Example: "http://www.yourcompany/steel/" will default to "http://www.yourcompany/steel/products.html"
If you have changed the location of a page, prevent bad links from occurring in places you or some one else forgot to change.
Redirect /oldpage.html /newdirectory/newpage.html
|
Did you ever notice how some Websites display a nice fancy "Sorry" page instead of the
generic, server-generated "404" error page when a non-existent page is requested?
Just create your own custom error pages, named "404.html" "401.html" "500.html" and add these lines to your .htaccess file:
ErrorDocument 404 http://www.domain.com/404.html
ErrorDocument 401 http://www.domain.com/401.html
ErrorDocument 500 http://www.domain.com/500.html
|
Looking through an html file for SSI directives is called "parsing", and
by default a server doesn't parse every html file. It only parses pages that have a .shtml
extension.
AddType text/html .html
AddHandler server-parsed .html
|
replace .html with .htm if that's what you are using for your pages.
Say you have taken the trouble to write programs, scripts, ect, and made them available for download.
I am sure you would like the credit for it, and preffer people visit your site to get it.
The following will prevent people from linking directly to your downloads and claiming it is theirs.
AuthUserFile /dev/null
AuthGroupFile /dev/null
RewriteEngine On RewriteCond
%{HTTP_REFERER}!>http://yourwebsite.com[NC] RewriteCond
%{HTTP_REFERER}!>http://www.yourwebsite.com[NC] RewriteCond
%{HTTP_REFERER}!>http://555.555.555.555[NC] RewriteRule
/*http://www.yourwebsite.com/page.htm[R,L]
|
The first line tells the server not to look for users.
The second line tells the server not to look for groups.
The third line tells Apache to turn on the MOD Rewite
The next three lines you change to your address, with, and without the www. as well as your IP.
The last line is where you would like the link from the site trying to download from their pages to be redirected. This way if some one links directly to your "coolscript.zip" from their website, instead of a download, the link will bring them a webpage that you specify.
Stop paying for bandwidth when all somebody is doing is trying to get e-mail addresses out of your pages.
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport*28 [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector
RewriteRule ^.*$ problem.html [L]
|
What this means is if HTTP_USER_AGENT from the beginning matches any of the listed values, they will be
redirected to the "problem.html" page that you create.
You can have it say whatever you want, but in order to truly trap them, there must be NO links on this page.
|
|
- Account Log ins
Control Panel Sample
- Getting Started
Chosing a Password
FTP
Index Files
Quick Html
Virus Tracker
Anti Spam Tips
- Creating Databases
Moving Databases
- Htaccess
Hot Linking
Password Protection
- Unix Commands
Chmod
Find
Grep
Ls
Regular Expressions
Telnet / SSH
|
