Htaccess

From GoBlueMich Wiki
Revision as of 11:44, 23 May 2019 by Hoke (talk | contribs) (Created page with " == When Backing Up the .htaccess == Make sure your .htaccess backups retain the leading dot. This ensures the file will be hidden instead of being publicly-viewable (which w...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

When Backing Up the .htaccess

Make sure your .htaccess backups retain the leading dot. This ensures the file will be hidden instead of being publicly-viewable (which would be bad). It is good practice to include a date, a ticket number, or other identifying information in the backup name.

.htaccess.2017_1_27.bak

Or

.htaccess.ticket174919.bak

Not

htaccess.bak


What is htaccess?

(from wikipedia) In several web servers (most commonly Apache), .htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files may contain any number of allowed configuration directives and follow the same syntax as the main configuration files. Directives placed in .htaccess files apply to the directory where you place the file, and all sub-directories, unless disabled in the main configuration. The file name starts with a dot because dot-files are by convention hidden files on Unix-like operating systems. A subset of Apache's .htaccess syntax is also supported by other web servers, such as Sun Java System Web Server and Zeus Web Server.

Proper usage of htaccess will typically require at least a basic understanding of regex. Here's a remotely-hosted cheatsheet for your review; please print it out and keep it handy.

lwtraining.net

The training team has developed an htaccess module for lwtraining.net. Included in that space you can find a printable PDF with many of the below examples, as well as some new samples!

Troubleshooting

Password Auth is Displaying 404

This happens because of common rewrite rules used by CMS software to force the pretty URLs into the main index.php because the pages exist only in the database.

Check their main .htaccess file for something like this:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^(.*)$ /index.php [L]

This checks to make sure the directory or file exists and if it doesn't, redirects to index.php. This makes the wp-admin folder accessible while redirecting domain.com/lastnightwasflippincrazy/ into the index.php to pull out of the database. The issue is that the auth page pulls up 401.shtml before taking you to the directory. This file does not normally exist so it trips the !-f rule and redirects to index.php. So! We need to add another RewriteCond to make it ignore the 401. Try something like this:

RewriteCond %{REQUEST_FILENAME} !\.shtml

This should allow the auth page to load without being redirected which makes the rest of the page work.

500 ERROR!

Often customers will add lines like this to their .htaccess file because the internets told them it would fix their wordpress site:

php_value memory_limit 5G
php_flag register_globals On

This is normally a good way to override serverwide PHP settings for a directory, but suPHP will piss it's pants if it sees them and spit out a 500 error for the entire directory system. So run this to check if they have suphp:

/usr/local/cpanel/bin/rebuild_phpconf --current

If they are running suPHP, comment out those lines and voila. If you want to be nice and the values aren't dumb, create a local php.ini for them and add the rules there.

Tricks

Here are a few htaccess tricks. You should also check ModRewrite for a few more tips and examples.

Enable Browser Caching and Compression

This will enable browser caching for most static content, as well as enable gzip compression. This will significantly help with website load time. You will need to make sure that mod_expires and mod_deflate and enabled for Apache. By default this should be the case on a cPanel server.

<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript
</IfModule>

<IfModule mod_mime.c>
# Text
AddType text/css .css
AddType application/x-javascript .js
AddType text/html .html .htm
AddType text/richtext .rtf .rtx
AddType text/plain .txt
AddType text/xml .xml

# Image
AddType image/gif .gif
AddType image/x-icon .ico
AddType image/jpeg .jpg .jpeg .jpe
AddType image/png .png
AddType image/svg+xml .svg .svgz

# Video
AddType video/asf .asf .asx .wax .wmv .wmx
AddType video/avi .avi
AddType video/quicktime .mov .qt
AddType video/mp4 .mp4 .m4v
AddType video/mpeg .mpeg .mpg .mpe

# PDF
AddType application/pdf .pdf

# Flash
AddType application/x-shockwave-flash .swf

# Font
AddType application/x-font-ttf .ttf .ttc
AddType application/vnd.ms-fontobject .eot
AddType application/x-font-otf .otf

# Audio
AddType audio/mpeg .mp3 .m4a
AddType audio/ogg .ogg
AddType audio/wav .wav
AddType audio/wma .wma

# Zip/Tar
AddType application/x-tar .tar
AddType application/x-gzip .gz .gzip
AddType application/zip .zip
</IfModule>

<IfModule mod_expires.c>
ExpiresActive On

# Text
ExpiresByType text/css A31536000
ExpiresByType application/x-javascript A31536000
ExpiresByType text/html A3600
ExpiresByType text/richtext A3600
ExpiresByType text/plain A3600
ExpiresByType text/xml A3600

# Image
ExpiresByType image/gif A31536000
ExpiresByType image/x-icon A31536000
ExpiresByType image/jpeg A31536000
ExpiresByType image/png A31536000
ExpiresByType image/svg+xml A31536000

# Video
ExpiresByType video/asf A31536000
ExpiresByType video/avi A31536000
ExpiresByType video/quicktime A31536000
ExpiresByType video/mp4 A31536000
ExpiresByType video/mpeg A31536000

# PDF
ExpiresByType application/pdf A31536000

# Flash
ExpiresByType application/x-shockwave-flash A31536000

# Font
ExpiresByType application/x-font-ttf A31536000
ExpiresByType application/vnd.ms-fontobject A31536000
ExpiresByType application/x-font-otf A31536000

# Audio
ExpiresByType audio/mpeg A31536000
ExpiresByType audio/ogg A31536000
ExpiresByType audio/wav A31536000
ExpiresByType audio/wma A31536000

# Zip/Tar
ExpiresByType application/x-tar A31536000
ExpiresByType application/x-gzip A31536000
ExpiresByType application/zip A31536000

# Webfonts
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"

<FilesMatch "\.(?i:css|js|htm|html|rtf|rtx|txt|xml|gif|ico|jpg|jpeg|jpe|png|svg|svgz|asf|asx|wax|wmv|wmx|avi|mov|qt|mp4|m4v|mpeg|mpg|mpe|pdf|swf|ttf|ttc|eot|otf|mp3|m4a|ogg|wav|wma|tar|gz|gzip|zip)$">
<IfModule mod_headers.c>
Header set Cache-Control "public, must-revalidate, proxy-revalidate"
Header unset ETag
</IfModule>
</FilesMatch>


Htaccess Redirect Generator

This section has been moved to the Helpful links section of the mod_rewrite wiki

Disallow Hotlinking:

How Do I Stop Hotlinking and Bandwidth Theft?

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ qX4w7.gif [L]

Had trouble with the one above for some reason so I tried the one below and it seemed to do the trick.

# hotlink protection allowing all source urls
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.tld.*$            [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.tld.*$        [NC]
RewriteCond %{HTTP_REFERER} !^http://domain.tld:80.*$         [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.tld:80.*$     [NC]
RewriteRule .*[Jj][Pp][Gg]$|.*[Gg][Ii][Ff]$|.*[Pp][Nn][Gg]$ - [F,NC,L]


But! I want to allow one domain (onedomain.com) to hotlink to my domain (mydomain.net) and then no one else ...

## Stop hotlinking 
RewriteEngine On
RewriteCond %{HTTP_REFERER} !onedomain\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mydomain\.net/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png|ico)$ qX4w7.gif [L]

Allow a specific ips/ranges/hostnames to bypass username/password auth:

AuthType Basic
AuthName "Private"
AuthUserFile /path/to/.htpasswd
Require valid-user
Order allow,deny

#allows our 4428 office range.
Allow from 10.20.4.0/22

#allow a specific ip.
Allow from 10.20.4.218
  
#allow a specific hostname.
Allow from galactica.liquidweb.com

Satisfy any

Please note that you should never place the htpasswd file in a location that can be reached in a browser (placing it in /usr would be ideal, actually). Also, you will need to create that file and manually add authorized users - these users are NOT linux user accounts and only exist in the context of htpasswd.

 #create htpasswd file:
 /usr/local/apache/bin/htpasswd -c /path/to/.htpasswd $USERNAME
 
 #add users to existing file:
 /usr/local/apache/bin/htpasswd /path/to/.htpasswd $USERNAME

custom php error_log

  • custom log file needs to be writable by apache user and for cpanel needs to be owned by the cpanel user to get backed up or cpanel don't back it up.

This will not work with SuPHP!

php_flag display_errors off
php_value error_reporting 2039
php_flag log_errors on
php_value error_log "/path/to/error_log"

Plesk on Linux PHP Directives

Create a “vhost.conf” file in “/var/www/vhosts/<domain name>/conf/”

<Directory /var/www/vhosts/<domain name>/httpdocs>
php_admin_value php_configuation On/Off/(number)
</Directory>

For example if you wanted to turn off safe_mode

<Directory /var/www/vhosts/<domain name>/httpdocs>
php_admin_value safe_mode off
</Directory>

Then run the following: (deprecated versions)

/usr/local/psa/admin/sbin/websrvmng -u --vhost-name=<domain name>

Or for new Plesk versions:

/usr/local/psa/admin/bin/httpdmng -u --vhost-name=domain.com

And then:

service httpd reload

Force SSL on all Pages

This section has been moved to the mod_rewrite wiki

Force SSL for a Specific Domain Only

This section has been moved to the mod_rewrite wiki

Default wordpress htaccess file

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Template:Warning

If you are using password protected directories this will cause them to 404. To get past this make the following change

Replace the line

RewriteRule . /index.php [L]

with

RewriteRule ./ /index.php [L]

The final code snippet will look like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ./ /index.php [L]
</IfModule>
# END WordPress

Force WWW on all pages

This section has been moved to the mod_rewrite wiki

Force WWW and HTTPS in htaccess

This section has been moved to the mod_rewrite wiki

Strip WWW from address

This section has been moved to the mod_rewrite wiki

Make mail work like webmail

Just redirect one to the other:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^mail\.(.*) [NC,OR]
RewriteCond %{HTTPS_HOST} ^mail\.(.*) [NC]
RewriteRule ^(.*)$ https://webmail.%1/ [R=301,NC,L]

Protect file from being accessed

A cust. might want to protect a specific file from being accessed, such as .htaccess itself, or wp-config.php for example. Here's the quick and easy:

 #Protect the htaccess file
 <Files .htaccess>
 Order Allow,Deny
 Deny from all
 </Files>

Add MIME types to a single site

A customer may need to load GIF and JPEG files on a single site, but not elsewhere (maybe they only want to use .bmp files for images because of security concerns). We can use htaccess to do this - in fact, it uses the exact same syntax as httpd.conf:

 #only load gif & jpeg files for this site
 AddType image/gif .gif .GIF                
 AddType image/jpeg .jpeg .jpg .jpe .JPG

Note that if you do not correctly declare RewriteBase, you will only be able to load these MIME types from this directory - not from any sub- or parent directories.

CORS - Cross-Origin Resource Sharing

Sometimes, customers need this enabled on their site. This requires mod_headers (which is usually installed). Here is a basic allow for everything:

 <IfModule mod_headers.c>
 Header set Access-Control-Allow-Origin "*"
 </IfModule>

Reference for Apache, more info on the site: https://enable-cors.org/server_apache.html

General Overview: https://www.html5rocks.com/en/tutorials/cors/