25 .htaccess rules that every web developer should know
Before we begin, I draw your attention to the fact that the abuse of .htaccess usage can lead to a decrease in the performance of your site. The main rule: to use .htaccess to implement a particular task is only if there are no other options.
Make sure that you made a backup copy of the original .htaccess file for your site before making any changes. In addition, remember - the functionality of the following rules depends on the individual settings of your web server, set by the host. Some directives may be banned and do not work.
.htaccess (from English hypertext access) is an additional configuration file for the Apache web server, as well as servers similar to it. Allows you to specify a large number of additional parameters and permissions for the operation of the web server in separate directories (folders), such as managed directory access, file type redirection, etc., without changing the main configuration file.
The .htaccess file can be placed in any directory . The directives of this file affect all files in the current directory and in all its subdirectories (unless these directives are overridden by the directives of the underlying .htaccess files).
In order for these .htaccess files to be usable, the appropriate configuration of the main configuration file is required (the value of the AllowOverride directive must be set to All ). Typically, the vast majority of hosts allow their. Htaccess files to be used.
1. Do not upload files from external sites
Are you tired of people who post images published on your site - on their own resources, thereby spending your traffic and creating unnecessary burden on your hosting? This code, placed at the end of your .htaccess file, will prevent you from downloading your images - by third-party sites.
Options + FollowSymlinks # Do not upload files from external sites RewriteEngine On RewriteCond% {HTTP_REFERER}! ^ $ RewriteCond% {HTTP_REFERER}! ^ Http: // (www.)? Site.com/ [nc] RewriteRule. *. (Gif | jpg | png) $ http://site.com/stop.gif[nc]
Do not forget to change site.com to your domain name and create a stop.gif image that will be displayed instead of the requested picture.
2. Block all requests from unwanted User Agents
This rule allows you to block unwanted User Agent, which can be potentially dangerous or simply overload the server with unnecessary requests.
# Block bad bots and robots SetEnvIfNoCase user-Agent ^ FrontPage [NC, OR] SetEnvIfNoCase user-Agent ^ Java. * [NC, OR] SetEnvIfNoCase user-Agent ^ Microsoft.URL [NC, OR] SetEnvIfNoCase user-Agent ^ MSFrontPage [NC, OR] SetEnvIfNoCase user-Agent ^ Offline.Explorer [NC, OR] SetEnvIfNoCase user-Agent ^ [Ww] eb [Bb] andit [NC, OR] SetEnvIfNoCase user-Agent ^ Zeus [NC]Order Allow, Deny Allow from all Deny from env = bad_bot
The list of User Agent browsers, robots and spiders of search engines, web directories, download managers, spam bots and bad bots can be found on the List of User-Agents website.
3. Deny access for all but the specified IP addresses
If for some reason, you want to deny everyone or allow only specific IP addresses to access your site - add this code to your .htaccess file:
# Deny access for all but the specified IP addresses ErrorDocument 403 http://www.domainname.com Order deny, allow Deny from all Allow from 124.34.48.165 Allow from 102.54.68.123
Do not forget to change domainname.com to your domain name.
4. Configure SEO-Friendly 301 Redirect
If you moved a domain name (or your subsite) or want to redirect a user to a specific page (pages), without the sanction of the search engines, use this code:
# Configure SEO-Friendly 301 Redirect Redirect 301 /1/file.html http://www.site.com/2/file.html
Do not forget to change site.com to your domain name, and /1/file.html and /2/file.html to the appropriate directories and pages.
5. Create our own error pages
Are you tired of the standard kind of error pages? No problem - using the following code, you can easily create your own page and show the user exactly it:
ErrorDocument 401 /error/401.php ErrorDocument 403 /error/403.php ErrorDocument 404 /error/404.php ErrorDocument 500 /error/500.php
<Do not forget to create the error folder in the root directory of your server and put the appropriate files in it. / P>
6. Create a black list of IP addresses
Tired of spam comments or a specific user? Just block its IP with the following code, added to the .htaccess file.
# Create a black list of IP addresses Allow from all Deny from 145.186.14.122 Deny from 124.15.
You can find the IP addresses of commentators either in the Apache logs or with the help of statistics services. Many CMS have their own built-in tools for monitoring visitors' addresses. For example, in Drupal, the IP addresses of commentators can be seen in the administration panel - Reports.
7. Set the default e-mail address for the administrator
Use this code to set the default e-mail address for the server administrator.
# Set the default e-mail address for the administrator ServerSignature EMail SetEnv SERVER_ADMIN [email protected]
Do not forget to replace [email protected] - with your e-mail address.
8. Protect a specific file
The following code allows you to deny access to any file - an error 403 will be issued on request. For example, I closed access to the htaccess file itself, increasing the overall security level of the site.
# Protect the .htaccess fileOrder allow, deny Deny from all
9. Compress the elements with mod_deflate
As an alternative to compressing files with Gzip, you can use mod_deflate (it supposedly works faster). Place the following code at the beginning of your .htaccess file (also you can add enumerations .jpg | .gif | .png | .tiff | .ico):
# Compress the elements using mod_deflateSetOutputFilter DEFLATE
10. Adding Lifetime to Headers
This code allows you to add lifetimes to headers:
# Add lifetime to headersHeader set Expires «Wed, 21 May 2010 20:00:00 GMT»
11. Set the default pages
Typically, the default page is index.html, but with this code, you can configure any other page by default.
# Set up an alternate default page DirectoryIndex about.html
12. Password protect folders and files
You can enable password checking to access any folder or file on your server using this code:
# Password protection fileAuthType Basic AuthName "Prompt" AuthUserFile /pub/home/.htpasswd Require valid-user # Password protection folders Resides AuthType basic AuthName "This directory is protected" AuthUserFile /pub/home/.htpasswd AuthGroupFile / dev / null Require valid-user
In order to organize access to the file with a password, you need to create a .htpasswd file and add a login-password pair in the format user: password .
However, in this case, the passwords will be stored in an open form, which is not very good from a security point of view. Therefore, it is better to encrypt the password. To do this, use the services of generating records in the .htpasswd files. For example, here such .
In our example, the file with access passwords is in the root directory of the site and is called .htpasswd. The directory is specified from the root of the server and if the path is incorrect - Apache, without access to the file, will deny access to the folder to any user - in the chile and the one that entered the correct password pair : password .
13. Redirecting from the old domain to a new one
Using .htaccess, you can configure redirection from the old domain name to the new one by adding the following code:
# Redirect from old domain old.com to a new one RewriteEngine On RewriteRule ^ (. *) $ Http://www.new.com/$1 [R = 301, L]
Redirection is used if you are moving your existing site to a new domain name. In this case, any user who dials in the address bar of www.old.com - will be redirected to www.new.com.
14. Enhance caching
Using this rule does not mean directly accelerating the loading of your site. It is intended for faster loading of a site - for a visitor who has already visited it, by sending the status 304 for those items that have not been updated.
# Enhance caching FileETag MTime SizeExpiresActive on ExpiresDefault «access plus 1 year»
Thus, when the page is reloaded, the visitor's browser will not re-download images, scripts or CSS, but will output those files that are already stored in its cache. You can change the life of the cache by adjusting its value in years, months, or, for example, seconds. In the example, 1 year is indicated.
15. Compress the components of the site by including Gzip
If you use Gzip , the server will compress the files before sending them to the user, which will make your site load faster.
# Compress the components of the site by including Gzip AddOutputFilterByType DEFLATE text / html text / plain .. .. text / xml application / xml application / xhtml + xml .. .. text / javascript text / css application / x-javascript BrowserMatch ^ Mozilla / 4 gzip-only-text / html BrowserMatch ^ Mozilla / 4.0 [678] no-gzip BrowserMatch bMSIE! No-gzip! Gzip-only-text / html
Note that the inclusion of compression will lead to a greater load on the server processor. Here the line AddOutputFilterByType is written in one long line with two lower ones (all .. need to be removed).
16. Remove the "category" from the URL
To change yourdomain.com/category/blue to yourdomain.com/blue , simply add the following code at the end of your .htaccess file.
# Remove the category from the URL RewriteRule ^ category /(.+)$ http://www.site.com/$1 [R = 301, L]
Do not forget to change www.site.com to your domain name.
17. We prohibit viewing the contents of a folder
In order to restrict access to directories that can contain a variety of information and to ensure the security of the server, add this code to the .htaccess file
# Do not view the contents of a folder Options All -Indexes
18. Redirecting your RSS feed to FeedBurner
Let's show how this can be done using the example of the Drupal RSS feed for the Google Feedburner service.
# Redirecting the RSS Feed to Drupal on FeedBurnerRewriteEngine on RewriteCond% {HTTP_USER_AGENT}! FeedBurner [NC] RewriteCond% {HTTP_USER_AGENT}! FeedValidator [NC] RewriteRule ^ rss.xml $ http://feeds.feedburner.com/yourfeed [R = 302, NC, L]
Initially, you need to register a feed for your blog in the Feedburner service. Next, do not forget to replace yourfeed with the name of your tape already in Feedburner.
19. We prohibit comments from users without Referrer
Most often spam bots refer directly to the comment file, for example to wp-comments-post.php , without going to the pages of your blog entries. The code below allows you to block comments sent by users who came "from nowhere", allowing you to comment only to those readers who have moved to your blog page from any other pages (for example, Google search results).
# We prohibit comments from users without Referrer RewriteEngine On RewriteCond% {REQUEST_METHOD} POST RewriteCond% {REQUEST_URI} .comment \ / reply \ / * RewriteCond% {HTTP_REFERER}!. * Yourblog.com. * [OR] RewriteCond% {HTTP_USER_AGENT} ^ $ RewriteRule (. *) ^ Http: //% {REMOTE_ADDR} / $ [R = 301, L]
Do not forget to replace yourblog.com with the domain name of your blog.
20. Remove the file extension from the URL
This code allows you to delete the extension of the .php file (you can change it to any other, for example - .html) from the URLs of the pages.
# Remove the file extension from the URL RewriteRule ^ (([^ /] + /) * [^.] +) $ /$1.php [L]
21. We protect the site
This code protects the site from scripts enjection and unwanted modifications of _REQUEST and / or GLOBALS:
# Enable tracking of symlinks Options + FollowSymLinks # Run url_rewriting RewriteEngine On # We block all links that contain <script> RewriteCond% {QUERY_STRING} (\ <|% 3C). * Script. * (\> |% 3E) [NC, OR] # We block all scripts that try to change the PHP Globals variables: RewriteCond% {QUERY_STRING} GLOBALS (= | \ [| \% [0-9A-Z] {0,2}) [OR] # We block all scripts that try to change the variable _REQUEST: RewriteCond% {QUERY_STRING} _REQUEST (= | \ [| \% [0-9A-Z] {0,2}) # We redirect all similar on page with an error 403 - it is forbidden RewriteRule ^ (. *) $ Index.php [F, L]
22. Redirect the visitor with the RedirectMatch directive and regular expressions
Another useful directive recommended for use is RedirectMatch . Quotation: "This directive allows you to use the regular expression (the transfer is not" from the document "but" from all documents, such as ... ") as the requested address. External redirect - the browser is informed of the need to download a different page.
Syntax:
RedirectMatch [status] regexp URL
The status values (web server return code) are standard:
Permanent (301 - permanent redirect), temp (302 - temporary redirect, come again), seeother (303 - fly there, there are many tasty), gone (410 - permanently deleted).
Example:
The same redirection from the old domain to the new one without connecting RewriteEngine:
RedirectMatch 301 ^ (. *) $ Www.domainname.com/$1
From myself I will add that you can use not only http-statuses , but also other conditions:
RedirectMatch (. *) \. Gif $ http: //www.myserver.com$1.png RedirectMatch (. * \. Jpg) $ http: //www.myanother.com$1
Make sure to back up the .htaccess file before making any changes and check the functionality of the entire site - after adding new rows.
23. Protection from direct links for images through .htaccess
Hotlink - insert direct links of images or files from one site to another. This technique is used quite often, well, for example, you do not have enough space on your server to store pictures and you use some free service for storing image files, ie. Upload a picture, get a URL and paste it on your site.
In the end: you save space for your site and use bandwidth hosting for pictures, but this is no longer your business. But here's how to be, if someone decided that your site can be used as a similar service.
How not to become a free provider of images and files?
Is there protection from this? Yes there is! To prevent other sites from using your traffic and / or simply pointing out direct links to your files (pictures), add the following lines to your .htaccess file:
# Prevent other sites from using direct links to your images RewriteCond% {HTTP_REFERER}! ^ $ # Next list of allowed domains RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? Sitename.ru. * $ [NC] RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? Sitename.ru: 80. * $ [NC] # IP site (domain) RewriteCond% {HTTP_REFERER}! ^ Http (s)?: //111.111.111.111.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ Http (s)?: //111.111.111.111: 80. * $ [NC] RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? Yandex.ru [NC] RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? Google. [NC] #RewriteCond% {HTTP_REFERER}! ^ Http (s)?: // (www.)? Domain_friendly site. [NC] RewriteCond% {HTTP_REFERER}! Search? Q = cache [NC] # File formats for which protection is installed # Displays error 403 # RewriteRule \. (Jpe? G | bmp | gif | png | css | mov | swf | dcr | exe | rar | avi | vob | zip | pdf | txt | doc | flv | mp3 | mp4) $ - [NC, F, L] # Or shows a special picture instead of the specified RewriteRule. * \. (Jpe? G | bmp | gif | png) $ files / images / nohotlink.jpg [NC, L]
As a result, all other sites will receive an error 403 Forbidden (ie Access is denied ) and your bandwidth is more "not working for others".
24. ImageCache and protection from hotlinks through .htaccess
For ImageCache, the previous item will not work, so add these settings:
SetEnvIfNoCase Referer "^ $" local_ref = 1 # Allowed domains # Then allowed domains SetEnvIfNoCase Referer "^ http: // (www \.)? Domain \ .ru" local_ref = 1 SetEnvIfNoCase Referer "^ http: // (www \.)? Domain \ .com" local_ref = 1 # File extensions that you want to protect # Extensions of files you need to protectOrder Allow, Deny Allow from env = local_ref
Now we have both hotlink protection and ImageCache module - they work together perfectly. One "but" - in such a way as you see it will not be possible to give out another picture; Only protection of their images, which is the main goal.
Comments
Commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.