This page has been robot translated, sorry for typos if any. Original content here.

25 .htaccess rules that every web developer should know

On this topic:

Файл-конфигуратор Apache-серверов .htaccess

Before we begin, I draw your attention to the fact that the abuse of .htaccess usage can lead to a decrease in the performance of your site. The main rule: to use .htaccess to implement a particular task is only if there are no other options.

Make sure that you made a backup copy of the original .htaccess file for your site before making any changes. In addition, remember - the functionality of the following rules depends on the individual settings of your web server, set by the host. Some directives may be banned and do not work.

.htaccess (from English hypertext access) is an additional configuration file for the Apache web server, as well as servers similar to it. Allows you to specify a large number of additional parameters and permissions for the operation of the web server in separate directories (folders), such as managed access to directories, reassignment of file types, etc., without modifying the main configuration file.

The .htaccess file can be placed in any directory . The directives of this file act on all files in the current directory and in all its subdirectories (unless these directives are overridden by the directives of the underlying .htaccess files).

In order for these .htaccess files to be usable, the appropriate configuration of the main configuration file is required (the value of the AllowOverride directive must be set to All ). As a rule, the vast majority of hosts allow their. Htaccess files to be used.

1. Do not upload files from external sites

Are you tired of people who post images published on your site - on their resources, thereby spending your traffic and creating unnecessary burden on your hosting? This code, placed at the end of your .htaccess file, will prevent the download of your images - by third-party sites.

	 Options + FollowSymlinks
	 # Do not upload files from external sites
	 RewriteEngine On
	 RewriteCond% {HTTP_REFERER}! ^ $
	 RewriteCond% {HTTP_REFERER}! ^ Http: // (www.)? [nc]
	 RewriteRule. *. (Gif | jpg | png) $[nc] 

Do not forget to change to your domain name and create a stop.gif image that will be displayed instead of the requested picture.

2. Block all requests from unwanted User Agents

This rule allows you to block unwanted User Agent, which can be potentially dangerous or simply overload the server with unnecessary requests.

  # Block bad bots and robots
 SetEnvIfNoCase user-Agent ^ FrontPage [NC, OR]
 SetEnvIfNoCase user-Agent ^ Java. * [NC, OR]
 SetEnvIfNoCase user-Agent ^ Microsoft.URL [NC, OR]
 SetEnvIfNoCase user-Agent ^ MSFrontPage [NC, OR]
 SetEnvIfNoCase user-Agent ^ Offline.Explorer [NC, OR]
 SetEnvIfNoCase user-Agent ^ [Ww] eb [Bb] andit [NC, OR]
 SetEnvIfNoCase user-Agent ^ Zeus [NC]
 Order Allow, Deny
 Allow from all
 Deny from env = bad_bot

A list of User Agent browsers, robots and spiders of search engines, web directories, download managers, spam bots and bad bots can be found on the List of User-Agents website .

3. Deny access for all but the specified IP addresses

If for some reason, you want to deny everyone or allow only specific IP addresses to access your site - add this code to your .htaccess file:

	 # Deny access for all but the specified IP addresses
	 ErrorDocument 403
	 Order deny, allow
	 Deny from all
	 Allow from
	 Allow from 

Do not forget to change to your domain name.

4. Configuring SEO-Friendly 301 Redirect

If you moved the domain name (or your subsite) or want to redirect the user to a specific page (pages), without the sanction of the search engines, use this code:

	 # Configure SEO-Friendly 301 Redirect
	 Redirect 301 /1/file.html 

Do not forget to change to your domain name, and /1/file.html and /2/file.html to the appropriate directories and pages.

5. Create our own error pages

Are you tired of the standard kind of error pages? No problem - using the following code, you can easily create your own page and show the user exactly it:

	 ErrorDocument 401 /error/401.php
	 ErrorDocument 403 /error/403.php
	 ErrorDocument 404 /error/404.php
	 ErrorDocument 500 /error/500.php 

<Do not forget to create the error folder in the root directory of your server and put the appropriate files in it. / P>

6. Create a black list of IP addresses

Tired of spam comments or a specific user? Just block its IP with the following code, added to the .htaccess file.

	 # Create a black list of IP addresses
	 allow from all
	 deny from
	 deny from 124.15. 

You can find out the IP addresses of commentators either in the Apache logs or with the help of statistics services. Many CMS have their own built-in tools for monitoring visitors' addresses. For example, in Drupal, the IP addresses of commentators can be seen in the administration panel - Reports.

7. Set the default e-mail address for the administrator

Use this code to set the default e-mail address for the server administrator.

	 # Set the default e-mail address for the administrator
	 ServerSignature EMail

Do not forget to replace - with your e-mail address.

8. Protect a specific file

The following code allows you to deny access to any file - an error 403 will be issued on request. For example, I closed access to the htaccess file itself, increasing the overall security level of the site.

  # Protect the .htaccess file
 order allow, deny
 deny from all

9. Compress the elements with mod_deflate

As an alternative to compressing files with Gzip, you can use mod_deflate (it probably works faster). Place the following code at the beginning of your .htaccess file (also you can add enumerations .jpg | .gif | .png | .tiff | .ico):

  # Compress the elements with mod_deflate
 SetOutputFilter DEFLATE

10. Adding Lifetime to Headers

This code allows you to add lifetimes to headers:

  # Add lifetime to headers
 Header set Expires «Wed, 21 May 2010 20:00:00 GMT»

11. Set the default pages

Typically, the default page is index.html, but with this code you can configure any other page by default.

	 # Set the default page by default
	 DirectoryIndex about.html 

12. Password protect folders and files

You can enable password checking to access any folder or file on your server using this code:

  # password protection file
 AuthType Basic
 AuthName "Prompt"
 AuthUserFile /pub/home/.htpasswd
 Require valid-user
 # password protection folders
	 AuthType basic
	 AuthName "This directory is protected"
	 AuthUserFile /pub/home/.htpasswd
	 AuthGroupFile / dev / null
	 Require valid-user 

In order to organize access to the file using a password, you must create a .htpasswd file and add a login-password pair in the format user: password .

However, in this case, the passwords will be stored in an open form, which is not very good from a security point of view. Therefore, it is better to encrypt the password. To do this, use the services of generating records in the .htpasswd files. For example, here such .

In our example, the file with access passwords is in the root directory of the site and is called .htpasswd. The directory is indicated from the root of the server and if the path is incorrect - Apache, without access to the file, will deny access to the folder to any user - in the chile and the one that entered the correct password pair : password .

13. Redirecting from the old domain to a new one

Using .htaccess, you can configure the redirection from the old domain name to the new one by adding the following code:

	 # Redirect from old domain to a new one
	 RewriteEngine On
	 RewriteRule ^ (. *) $ Http://$1 [R = 301, L] 

Redirection is used if you are moving your existing site to a new domain name. In this case, any user who dials in the address bar of - will be redirected to

14. Strengthen caching

Using this rule does not mean directly accelerating the loading of your site. It is intended for faster loading of a site - for a visitor who has already visited it, by sending the status 304 for those items that have not been updated.

  # Strengthen caching
 FileETag MTime Size
 ExpiresActive on
 ExpiresDefault "access plus 1 year"

Thus, when the page is reloaded, the visitor's browser will not re-download images, scripts or CSS, but will output those files that are already stored in its cache. You can change the lifetime of the cache by adjusting its value in years, in months, or, for example, in seconds. In the example, 1 year is indicated.

15. Compress the components of the site by including Gzip

If you use Gzip , the server will compress the files before sending them to the user, which will make your site load faster.

	 # Compress the components of the site by including Gzip
	 AddOutputFilterByType DEFLATE text / html text / plain ..
	 .. text / xml application / xml application / xhtml + xml .. 
	 .. text / javascript text / css application / x-javascript
	 BrowserMatch ^ Mozilla / 4 gzip-only-text / html
	 BrowserMatch ^ Mozilla / 4.0 [678] no-gzip
	 BrowserMatch bMSIE! No-gzip! Gzip-only-text / html 

Note that the inclusion of compression will lead to a greater load on the server processor. Here the line AddOutputFilterByType is written in one long line with two lower ones (all .. need to be removed).

16. Remove the "category" from the URL

To change to , simply add the following code at the end of your .htaccess file.

	 # Remove the category from the URL
	 RewriteRule ^ category /(.+)$$1 [R = 301, L] 

Do not forget to change to your domain name.

17. We prohibit viewing the contents of a folder

In order to restrict access to directories that can contain a variety of information and to ensure the security of the server, add this code to the .htaccess file

	 # Do not view the contents of a folder
	 Options All -Indexes 

18. Redirecting our RSS feed to FeedBurner

Let's show how this can be done using the example of the Drupal RSS feed for the Google Feedburner service.

  # Forwarding the RSS Feed to Drupal on FeedBurner
 RewriteEngine on
 RewriteCond% {HTTP_USER_AGENT}! FeedBurner [NC]
 RewriteCond% {HTTP_USER_AGENT}! FeedValidator [NC]
 RewriteRule ^ rss.xml $ [R = 302, NC, L]

Initially, you need to register a feed for your blog in the Feedburner service. Next, do not forget to replace yourfeed with the name of your tape already in Feedburner.

19. We prohibit comments from users without Referrer

Most often spam bots refer directly to the comment file, for example to wp-comments-post.php , without going to the pages of your blog entries. The code below allows you to block comments sent by users who came "out of nowhere", allowing you to comment only to those readers who have moved to your blog page from any other pages (for example, Google search results).

	 # We prohibit comments from users without Referrer
	 RewriteEngine On
	 RewriteCond% {REQUEST_URI} .comment \ / reply \ / *
	 RewriteCond% {HTTP_REFERER}!. * * [OR]
	 RewriteCond% {HTTP_USER_AGENT} ^ $
	 RewriteRule (. *) ^ Http: //% {REMOTE_ADDR} / $ [R = 301, L] 

Do not forget to replace with the domain name of your blog.

20. Remove the file extension from the URL

This code allows you to delete the extension of the .php file (you can change it to any other, for example - .html) from the URLs of the pages.

	 # Remove the file extension from the URL
	 RewriteRule ^ (([^ /] + /) * [^.] +) $ /$1.php [L] 

21. We protect the site

This code protects the site from scripts enjection and unwanted modifications of _REQUEST and / or GLOBALS:

  # Enable Simlink tracking
 Options + FollowSymLinks
 # Run url_rewriting
 RewriteEngine On
 # We block all links that contain <script>
 RewriteCond% {QUERY_STRING} (\ <|% 3C). * Script. * (\> |% 3E) [NC, OR]
	 # We block all scripts that try to change the PHP Globals variables:
	 RewriteCond% {QUERY_STRING} GLOBALS (= | \ [| \% [0-9A-Z] {0,2}) [OR]
	 # We block all scripts that try to change the variable _REQUEST:
	 RewriteCond% {QUERY_STRING} _REQUEST (= | \ [| \% [0-9A-Z] {0,2})
	 # We redirect all similar on page with an error 403 - it is forbidden
	 RewriteRule ^ (. *) $ Index.php [F, L] 

22. Redirect the visitor with the RedirectMatch directive and regular expressions

Another useful directive recommended for use is RedirectMatch . Quotation: "This directive allows you to use the regular expression (the transfer is not" from the document "but" from all documents, such as ... ") as the requested address. External redirect - the browser is informed of the need to download another page.


	 RedirectMatch [status] regexp URL 

The status values ​​(web server return code) are standard:

permanent (301 - permanent redirect), temp (302 - temporary redirect, come again), seeother (303 - fly there, there are many tasty), gone (410 - permanently deleted).


The same redirection from the old domain to the new one without connecting RewriteEngine:

	 RedirectMatch 301 ^ (. *) $$1 

From myself I will add that you can use not only http-statuses , but also other conditions:

	 RedirectMatch (. *) \. Gif $ http: //$1.png
	 RedirectMatch (. * \. Jpg) $ http: //$1 

Make sure to make a backup copy of the .htaccess file before making changes and check the functionality of the entire site - after adding new rows.

23. Protection from direct links for images through .htaccess

Hotlink - insert direct links of images or files from one site to another. This method is used quite often, well, for example, you do not have enough space on your server to store pictures and you use some free service for storing image files, ie. download a picture, get a URL and paste it on your site.

In the end: you save space for your site and use bandwidth hosting for pictures, but this is no longer your business. But here's how to be, if someone decided that your site can be used as a similar service.

How not to become a free provider of images and files?

Is there protection from this? Yes there is! To prevent other sites from using your traffic and / or simply pointing out direct links to your files (pictures), add the following lines to your .htaccess file:

	 # Prevent other sites from using direct links to your images
	 RewriteCond% {HTTP_REFERER}! ^ $
	 # Next list of allowed domains
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? * $ [NC]
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? 80. * $ [NC]
	 # IP site (domain)
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: //*$ [NC]
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // 80. * $ [NC]
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? [NC]
	 RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? Google.  [NC]
	 # RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? Domain_friendly site. [NC]
	 RewriteCond% {HTTP_REFERER}! Search? Q = cache [NC]
	 # File formats for which protection is installed
	 # Displays error 403
	 # RewriteRule \. (Jpe? G | bmp | gif | png | css | mov | swf | dcr | exe | rar | avi | vob | zip | pdf | txt | doc | flv | mp3 | mp4) $ - [NC, F, L]
	 # or shows the special artists instead of the specified
	 RewriteRule. * \. (Jpe? G | bmp | gif | png) $ files / images / nohotlink.jpg [NC, L] 

As a result, all other sites will receive an error 403 Forbidden (ie Access is denied ) and your bandwidth is more "not working for others".

24. ImageCache and protection from hotlinks through .htaccess

For ImageCache, the previous item will not work, so add the following settings:

  SetEnvIfNoCase Referer "^ $" local_ref = 1
 # Allowed domains
 # Then allowed domains
 SetEnvIfNoCase Referer "^ http: // (www \.)? Domain \ .ru" local_ref = 1
 SetEnvIfNoCase Referer "^ http: // (www \.)? Domain \ .com" local_ref = 1
 # File extensions that you want to protect
 # Extensions of files you need to protect
 Order Allow, Deny
 Allow from env = local_ref

Now we have both hotlink protection and ImageCache module - they work together perfectly. One "but" - in such a way as you see it will not be possible to give out another picture; only the protection of their images, which is the main goal.