Scattered Thoughts » htaccess http://www.kunaal84.com/blog where you go when not looking for the answer to life, the universe and everything Tue, 15 Dec 2009 14:04:04 +0000 en hourly 1 http://wordpress.org/?v=3.0 Using .htaccess to password protect a directory http://www.kunaal84.com/blog/2007/09/13/using-htaccess-to-password-protect-a-directory/ http://www.kunaal84.com/blog/2007/09/13/using-htaccess-to-password-protect-a-directory/#comments Thu, 13 Sep 2007 15:18:25 +0000 Kunaal Ramchandani http://www.kunaal84.com/blog/2007/09/13/using-htaccess-to-password-protect-a-directory/ I came across this issue a few days ago, I was required to create a secure area on a web server where I could upload large files. The directory where these files were uploaded should be password protected so that only someone authorised can access it, and as a further protection, the directory should have its directory listings display turned off. Client Side password protection like using Javascript is not very good, because it can be disabled
Figured this might make someone else’s life easier in the future

  • Using a FTP client, login to your server.
  • Create a new directory in your public folder (www, public_html etc). Remember to keep the name something people will not be able to guess. something like “S3cr3tF0ld3r” maybe
  • Create an empty .htaccess file and upload it to that directory
  • The first and easiest step to carry out is to disable directory listings. Use the following code (also described here) 
    Options All -Indexes
  • Now comes the slightly trickier part, password protecting the directory:
    I first add the following lines to the .htaccess file

    AuthUserFile /path/to/.htpasswd
AuthName "My own Login Area"
AuthType Basic
  • I then add the username and encrypted password to the .htpasswd file and place it in the same place mentioned in the htaccess above.
    The little script below generates the uname:password combination

    username:


    password:

  • You can test this here, username and password are both ‘test’
]]> http://www.kunaal84.com/blog/2007/09/13/using-htaccess-to-password-protect-a-directory/feed/ 0 Tips and tricks with the .htaccess file – Part 1 http://www.kunaal84.com/blog/2007/08/27/tips-and-tricks-with-the-htaccess-file-part-1/ http://www.kunaal84.com/blog/2007/08/27/tips-and-tricks-with-the-htaccess-file-part-1/#comments Mon, 27 Aug 2007 14:46:15 +0000 Kunaal Ramchandani http://www.kunaal84.com/blog/2007/08/27/tips-and-tricks-with-the-htaccess-file-part-1/ .htaccess (which stands for Hypertext Access) are text files that are used to make configuration changes on an Apache Server. It contains a series of ‘directives’ for the server to follow, these directives are then applied to the folder the .htaccess file is placed in and also to all its sub-folders.For htaccess novices, it is important to note that small syntax errors can result at times in serious issues, so it is always a good idea to always backup your site before making major changes to the .htaccess file. I am no expert in .htaccess, but here are some directives I have found really useful.

The following are some of the most useful directives I have used:

1. URL Canonicalisation

Some search engines treat www.yoursite.com and yoursite.com as 2 separate sites, now if you are interested in SEO (and pretty much everyone nowadays is) this could lead to bigger issues. Using .htaccess you can make sure that all users will see the url you want them to see.

RewriteEngine On

RewriteCond %{HTTP_HOST} ^kunaal84.com$ [NC]

RewriteRule ^(.*)$ http://www.kunaal84.com/$1 [L,R=301]

The above piece of code returns a 301 permanent redirect error if it receives a request for “kunaal84.com” and redirects the user to “www.kunaal84.com”.

2. Restrict access

A Single File
order allow,deny

deny from all

Add the above block of code and replace the file name “restricted_file.html”, with the name of the file you want to restrict access to.

File Types
Order Allow,Deny

Deny from all

Add the above block of code to restrict access to all files of type “.php and .css”, add more files as you see fit.

3. Disable Directory Listing

If you are missing a default page in your root folder, everything in it becomes visible and accessible to any visitor, the following code directive prevents the directory from listing its files and returns a “Forbidden” message

Options All -Indexes

4. Change Default Index Page

You can tell your server to show another file as the default index file instead of the usual index.html/index.htm
For example to show new_index_file.html as the default file use

DirectoryIndex new_index_file.html

5. Parse an Html File Using the PHP Parser

Sometimes you might need to parse your html files using the php parser, to do this use the following directive

AddType application/x-httpd-php .html

6. Use Custom Error Pages

Use the following directive if you want to display your own 404 page instead of the server default

ErrorDocument 404 /errors/404.html

7. Redirects

The following directive carries out a simple 301 redirect

redirect 301 /directory/old_file.html http://www.my_domain.com/new_directory/newfile.html

8. Stop Hotlinking

To prevent bandwidth thieves, use the following block of code. This prevents hotlinking of .gif, .jpg and .png files (more can be added)



RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www.)?your_domain_name.com/.*$ [NC]

RewriteRule .*.(gif|jpg|png)$ - [F,L]

If you prefer to teach them a lesson, serve some alternate content use

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www.)?your_domain_name.com/.*$ [NC]

RewriteRule .*.(gif|jpg|png)$ http://www.your_domain_.com/alternate_image.bmp [R,NC,L]

Bibliography:
Apache mod_rewrite
htaccess tutorial

Cool Software:
Automatic .htaccess Generator

]]> http://www.kunaal84.com/blog/2007/08/27/tips-and-tricks-with-the-htaccess-file-part-1/feed/ 1