.htaccess guide

.htaccess is a special file you can upload to your web site to provide
various types of protection for your web site. Note that no .htaccess
based protection is truly secure. To really secure a particular section
of your site, ask us about Strongbox.

  • Basic requirements of .htaccess
  • Protect a directory from hotlinkers & bookmarks
  • Protect all images from hotlinkers
  • Referer protection with video clips or JavaScript
  • Redirect all 404 not found and other errors to a page of your choosing
  • Ban certain IPs from accessing your site, or only allow certain IPs
  • Require passwords to enter a certain area

    For more extensive .htaccess information, use the NCSA authentication tutorial
    This mosaic tutorial includes step by step basic by-password authentication,
    info on multiple usernames & passwords, it has examples, and general information.

    .htaccess info for Netscape servers
    .htaccess files aren't supported by the Netscape servers, but
    the Netscape servers do support ".nsconfig" files, which do much the
    same thing in a slightly different fashion. Use the link above to find
    out more.


    Basic requirements of .htaccess

    Unix (Linux) required

    To use .htaccess, you'll need to be on a server running Linux or some other
    Unix like operating system, such as FreeBSD, and using server software such as
    Apache or another server that supports it. In other words, you can't
    use it with Windows NT or other Microsoft OSs. But then again, you really
    don't want to be hosted on NT anyway, Linux & Apache make a much better
    web server anyway. {;~)

    Lastly, you'll need to be on a host that allows you to
    use .htaccess to accomplish whatever task you wish to accomplish.
    Different hosts have different rules, which they enforce using something
    called "the AllowOverrides directive". So if something listed here doesn't
    work for you, first check your syntax carefully, then double check that
    you are follow the instructions listed below regarding naming and uploading
    the file properly. If it sitll doesn't work, check with your host to see
    if what you're attempting is allowed. If not, ask them why it's not,
    everything on this page SHOULD be allowed by a decent host.

    .htaccess info for Netscape servers

    Name and upload the file properly
    No matter what you're using .htaccess for, be careful to be sure that
    you have named the file .htaccess . Not .htaccess.txt or htaccess ,
    this is a common error. When using windows the easiest way to make sure
    that Notepad or another program doesn't add the .txt extension is to
    quote the file name in the Save As dialog, as such: ".htaccess" .

    Next you need to make sure the file is uploaded to the server in ASCII mode.
    Your FTP client probably has a check box that allows you to choose either
    ASCII, binary, or automatic. This is the most common problem.

    The protected directory
    .htacess files affect the directory in which they are located and the sub-directories
    of that directory.
    (note - a directory is the same as a Windows "folder")
    Therefore, webmasters normally use a "members" directory for anything
    they want to protect, with an "images" sub-directory inside that.
    You then put any samples or other "unprotected" items in a different directory.
    For example, the public area URL would be:
    www.yourdomain.com/samples.htm
    Members area URLs:
    www.yourdomain.com/members/gallery1.htm
    and
    www.yourdomain.com/members/images/pic1.jpg


    Protect a directory from hotlinkers & bookmarks

    This .htaccess technique keeps other sites from "stealing" your content
    by using a tag such as <img src="http://yourdomain.com/pic1.jpg">
    It also keeps them from providing a direct link to your content pages.

    First, be sure to set up your "members" directory as explained above.
    Be sure that view this page full screen so the line breaks don't mess up.
    Then open Notepad and paste in the following code, adjusting the domain names:



    Of course, where it says "your-site.com", you need to replace
    that part with the domain name of your site. The optional line that
    ends with !^$ works around poorly designed "personal privacy" software
    that the user may have installed. Some of this software may block
    something called the "referer header" which tells us which
    site the image is being linked from. Including the line means that
    users who have the header blocked can see the image even if it's linked
    from someone elses site    . Leaving that line out makes it so that
    these users won't see the image even on your site.

    If you want to be really picky, but at the expense of just a bit more
    server load, this version of the above accounts for a couple more possibilities:

    Then FTP this file into your members directory, naming it .htaccess
    Notice the dot ( . ) in the name. Some people mistakenly leave it off.

    Other people mistakenly call it members.htaccess or something.
    Don't do that. It just called .htaccess
    When you FTP it, make sure to set your FTP program to send it in
    ASCII or TEXT mode.

    Protecting images only, without a "members" directory

    This variation on the above setup protects your images from being
    included in someone elses page, without requiring them to be in
    a special "protected" directory. See the section immediately
    above about how to name and upload the file. The contents of the file
    should be:

    Referer protection with video clips or JavaScript

    Video players such as Microsoft media player do not properly
    pass the HTTP_REFERER variable used above. JavaScript based menus
    suffer from the same problem. Therefore, neither are not compatible
    with the .htaccess configurations described above.

    If you're using JavaScript menus, you can simply switch over to cgi
    based menus instead, or you can use either of the techniques that you use
    for video clips.     Email us for help with cgi based menus.
    If you have video clips on your site such as mpg, avi, or RealVideo,
    you have two choices, allow the null referer, or use a cookie.
    To allow a null referer, you'll add one line, so it'll look like this:

    RewriteEngine on
    
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*YOURSITE.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*anothertrustedsite.com/ [NC]
RewriteCond %{HTTP_REFERER} !=""
RewriteRule /* http://%{HTTP_HOST}/ [R,L]

    That's it for the null referer method, you're done.
    Unfortunately, that also allows people to bookmark the page.
    Not really a problem on regular AVS sites, but many Gold AVS
    webmasters don't want people bookmarking.

    To prevent bookmarking, you can use a cookie to determine if they logged in
    through the AVS script. Add this line to your .htaccess instead:

    RewriteCond %{HTTP_COOKIE} !(^|(.+;)*)id=valid(;.*|$)

    So now your .htaccess looks like this:
    RewriteEngine on
    
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*YOURSITE.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*cyberavs.com/ [NC]
RewriteCond %{HTTP_COOKIE} !(^|(.+;)*)id=valid(;.*|$) 
RewriteRule /* http://%{HTTP_HOST}/ [R,L]
    You need some javascript to set the cookie.
    Paste the foillowing javascript into the <head> section of
    your first protected page:
    (Often www.you.com/members/index.html.)
    Your site is now protected.

    Require passwords to enter a certain area

    Here is the .htaccess code to require passwords:

    AuthType Basic
    AuthUserFile /home/user/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Members Area"
    require valid-user
    You'll probably need some type of script to manage the actual password list,
    unless you only want one person to be able to enter, such as an admin page.
    To manage passwords for many users, contact us at     support@webmastersguide.com for script setup pricing.

    Redirect all 404 not found and other errors to a page of your choosing

    404 errors are generated when users try to go to a page that doesn't
    exist, like a typo in the url.
    By default, these errors cause a plain, ugly page to be shown to the user.
    To redirect a 404 or other error, add the .htaccess code below, substituting the url
    of the page you want the user to be redirected to.
    Other common codes you can set up custom pages for include 401 (you need a password)
    403 (you're not allowed to see this page), and 500 (a cgi script somehow didn't work right).

    ErrorDocument 404 http://www.domain.com/pagemissing.htm
    ErrorDocument 500 /errors/cgierror.htm
    ErrorDocument 401 /errors/needpassword.htm

    Note the two kinds of URLs. You can use either a full URL (starting with http://)
    to redirect to a different site, or use just the path to display a page on your site.
    It is always preferable to use the second form, the local path. For redirecting 401 errors,
    you should always use the local path, NEVER a full URL.

    Ban certain IPs from accessing your site, or only allow certain IPs

    Allow only certain users from certain ISPs to access:

    <Limit GET>
    order deny,allow
    deny from all
    allow from your.isp.net
    </Limit>

    Block certain users from certain ISPs:

    <Limit GET>
    order allow,deny
    allow from all
    deny from bad.people.com
    </Limit>


    For more extensive .htaccess information, use the     NCSA authentication tutorial
    This mosaic tutorial includes step by step basic by-password authentication,
    info on multiple usernames & passwords, it has examples, and general information.