Using .htaccess in your Web Project

What is .htaccess?


Apache web servers allow the use of a text file called .htaccess to control certain behaviours within a website.  The .htaccess file contains a list of brief instructions which are referred to by the web server prior to responding to a web request.

By uploading or modifying a .htaccess file into your web space you can add functionality to your website including redirection, custom error pages, IP blocking and password protection.

Does my host support .htaccess?
Not necessarily.  Most hosts using Unix/Linux operating systems and/or Apache webservers can offer the service (though a few choose not to).  If you are unsure, contact your host.

All Mouse Whisperer hosting solutions offer the use of .htaccess.

What can .htaccess do?
The use of .htaccess offers a number of useful abilities including:

  • Custom Error Pages
  • Password protection of certain folders and their subfolders
  • Automatic User Redirection
  • Banning users with certain IP addresses
  • Allowing only users with certain IP addresses
  • Changing the default index file
  • Disallowing directory listings

The first two are far and away the most popular uses, and are described below.  For more details on these and the other uses of .htaccess, please see the links below the article.

Creating the .htaccess file

The .htaccess file is simply a text file (like those created by plain text editors such as Windows Notepad) containing a list of instructions for the web server.

Despite this, it can sometimes cause a few headaches because of its unusual name, starting with a period followed by an 8-character extension.  Some systems (especially older Windows implementations) won't allow this naming convention.

The usual workaround is to call the file something else (often htaccess.txt), upload this file to the server using FTP, then change its name using your FTP program (see the FTP tutorial for more details about FTP programs).


Custom Error Pages

Providing customised error pages is one of the most popular uses for .htaccess.  When the webserver detects an error, it presents by default a very crude and unhelpfule message - some of the more common ones are:

400 Bad Request
401 Authorization Required
403 Forbidden
404 Not Found
405 Method Not Allowed
408 Request Timed Out
500 Internal Server Error

There are numerous other error codes too.  A full list can be found HERE.

In order to divert any such error to your own custom page, simply add a single line to your .htaccess file with the following format:

ErrorDocument [error number] [URL of custom page]

For example, to divert the 404 Not Found error to my custom page notFound.html (in the same directory) the line would read:

ErrorDocument 404 /notFound.html

Your custom pages do not have to be in the same directory as your .htaccess file, provided that they can be accessed via the URL; you may, for instance, have an entry like:

ErrorDocument 401 /errorpages/needAuth.html

indicating that the error page is stored in a directory errorpages under the root directory of your site.

You may have as many custom pages as you wish, simply add each one on a separate line of your .htaccess file.

See the PHP page for a simple PHP script which will generate a custom error page for you for any error codes that you specify.

My Tip: I believe that custom error pages, which can be generated using .htaccess, look much better to the user than the awfully spartan default error pages (you know - '404 Error: File Not Found" and that sort of thing).  They can offer the user information about what (s)he may have done wrong, and a link to get them back on track, for instance, and making your site appear more professional and user-friendly.


Using .htaccess to password protect certain directories

.htaccess provides a very handy and secure way to password-protect directories on your website.  To do so, you will need an additional file .htpasswd in addition to your .htaccess file.  This is also a plain text file, and once again if the naming convention proves troublesome, you can initially call the file something else (htpasswd.txt say), upload it to the server, then change the name using FTP.

In your .htaccess file, you will need four lines like the following:

AuthUserFile /[path to directory]/.htpasswd
AuthName "Admin area"
AuthType Basic
require valid-user

The first line tells the web server where to find the .htpasswd file which will contain the valid usernames and passwords.  Replace [path to directory] with the correct path information.  For security reasons, it is best if this file is not saved in a directory which is available to the web browsing public.

In the .htpasswd file are found the username and password combinations to whom access will be granted.  These take the form:

username:password

where username is the name of the authorised user, and password is his/her encrypted password.  There are many tools available for encrypting such passwords, for instance this one here.  An example with both username and password set to demo would be:

demo:JLH/N44X2Rm8M

My Tip: This is just for example purposes.  In practice, don't set usernames and passwords to the same value, as they are then too easy to guess.

To have more than one valid user, simply add extra lines to the .htpasswd file, each line containing a valid username and (encrypted) password separated by a colon.

When a user attempts to view any page within a protected directory, a standard dialogue box will pop up asking for the username and password:

For more detailed information on using .htaccess, see Apache's own documentation here or try one of the recommended books below.

Did you find this tutorial useful?  If so, please rate it at Hotscripts by clicking on the icon below!

And don't forget to sign the guestbook ....

 


Amazon Books: Mouse over for brief details or click to visit

  
Site Map Page loaded in 0.35945 sec
© 2005 The Mouse Whisperer