jrobinsonc
9/19/2016 - 2:32 PM

HTACCESS Snippets

HTACCESS Snippets

htaccess-snippets.md
content_copyfile_download
# HTACCESS 

## Snippets

### Redirect path to another location

```
RewriteEngine On
RewriteCond %{REQUEST_URI} /my-url [NC]
RewriteRule .* https://domain.tld/123412341234/ [R=301,L] 
```

### Redirect not-found requests to another server

```
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^images/(.+)$  https://domain.tld/images/$1  [R,L]
```

### Redirect not-found files calls to other host

```
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} ^/sites/default/files/.+$
RewriteCond %{HTTP_HOST} ^localhost
RewriteRule ^(.*)$ http://otherhost.com/$1 [L]
```

### Prevent access to certain files or directories

Prevent access to directories.

```shell
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
```

Prevent access to the a file.

```
<Files "config.json">
    Deny from all
</Files>
```

Regular expressions can also be used, with the addition of the ~ character.

```
<Files ~ "config\.(json|yml)$">
    Deny from all
</Files>
```

### Prevent directory listing

```
Options -Indexes
```

## Tips

### Wrap the snippet inside "IfModule"

For mod_rewrite rules, you can use the IfModule clause to ensure this won't brake the website if the RewriteEngine module is not enabled:

```
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{REQUEST_URI} /my-url [NC]
  RewriteRule .* https://domain.tld/123412341234/ [R=301,L] 
</IfModule>
```
redirect-to-https.md
content_copyfile_download
  • Rendered
  • Source

Redirect all traffic from HTTP to HTTPS

This involves two steps:

# This is required for the rules to work but if you already have it in your 
# .htaccess, then there is no need to add this line.
RewriteEngine On

# Step 1 - Option A
#When the SSL certificate is not installed in the web server where the website is running.
# For example, when using Cloudflare's SSL or when the SSL certificate is installed in
# a load balancer but not in the web server.
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule .* - [E=protossl:1]

# Step 1 - Option B
# When the certificate is installed in the web server.
RewriteCond %{HTTPS} on
RewriteRule .* - [E=protossl:1]

# Step 2
RewriteCond "%{ENV:protossl}" !=1
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
dealing-with-www.md
content_copyfile_download
  • Rendered
  • Source

Dealing with WWW

Redirect all traffic to use 'www.'

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirect all traffic to not use 'www.'

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]
protect-files-and-directories.md
content_copyfile_download
  • Rendered
  • Source

Protect files and/or directories with password

First, we need to create the file with the user and passwords, and for that we can use a free service like DynamicDrive or use command below to generate the file in the server:

sudo htpasswd -c /var/www/.htpasswd myusername

Note that the file .htpasswd is genereated in the directory /var/www assuming the website is located in /var/www/html, this file must never be publicly accessible. For help with this command you can visit the documentation.

Then, add this to the .htaccess file:

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /var/www/.htpasswd 
Require valid-user

And that's it.