I installed GIJoes protector module the other day. The protector module checks for vulnerbilities and ask that you edit a couple files depending on what it finds. One file to be edited is the .htaccess file. I didn't understand this file or really what it was about. Here's a little of what I found out . I just kind of hobbled this together from things I read on the net.
1. Why would you want to edit or create a .htaccess file?
A .htaccess files provides a way to make configuration changes on a per-directory basis. The .htaccess file containing one or
more rules is placed in a particular directory, and those rules apply to that directory, and all subdirectories.
2. Why does the .htaccess file name look funny?
I don't know. The file is simply named ".htaccess" without the qoute marks. Make sure you do not put an extension on the end
of the file.
3. What do I use to create the .htaccess file?
You can use any text editor. To create the file, open up a text editor and save an empty page as .htaccess. Most likely your
text editor will add its default extension to .htaccess name. (ex: for Notepad it would call the file .htaccess.txt). Remove
the .txt (or other) file extension. Just right click on the file and rename to say .htaccess.
4. Once created.
htaccess files must be uploaded as ASCII mode, not BINARY. You may need to CHMOD the htaccess file to 644 or (RW-R--R--).
This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your
security.
When writing commands in the .htaccess use one line only. If you use a text editor that uses word-wrap, make sure to disabled
that feature or it might throw in a few extra characters.
5. Where do I place it?
In your root directory. However htaccess file sets rules for the directory its placed in and all sub-directories. That is the
htaccess file located in your root directory (yoursite.com) would affect yoursite.com/content, yoursite.com/content/contents,
etc.
6. The .htaccess file is commonly used to :
a. Provide custom error pages, such as 404 Page Not Found
ErrorDocument 404 my404page.html
This code can be used to create any custom page. Certain pages are more complicated to modify - if you create a custom
403 Forbidden page, then a viewer will not see the custom page. Here is a way to get around this :
ErrorDocument 403 /all/my403page.html
In the /all directory, you would need another .htaccess file, ie:
order allow,deny
allow from all
This would give access to Forbidden users to the /all directory, where the custom 403 page is kept in this example.
b. Password protection
c. Enabling SSI via .htaccess
AddType text/html .shtml
AddHandler server-parsed .shtml
Options Indexes FollowSymLinks Includes
d. Deny users by IP address
order allow,deny
deny from 123.45.67.0
deny from 123.123.7
allow from all
This would ban anyone with an IP address of 123.45.67.0 and would also ban anyone with an IP address starting in
123.123.7, for example, 123.123.74.42 would not gain access.
f. Changing the default directory page
DirectoryIndex homepage.html
Here, anyone visiting
http://www.yourwebsite.com would see the homepage.html page, rather than the default index.html.
g. Redirects
Redirect page1.html page2.html
If someone was to visit
http://www.yourwebsite.com/page1.html, they would be sent to
http://www.yourwebsite.com/page2.html h. Preventing hotlinking of images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourwebsite.com/.*$ [NC]
RewriteRule \.(gif|jpg)$
http://www.yourwebsite.com/hotlink.gif [R,L]
Unless the image is displayed on yourwebsite.com, browers would see the image hotlink.gif.
7. Remember the .htaccess file controls the directory it is in, plus all subdirectories. However, by placing additional
.htaccess files in the subdirectories, you can overrule this.
I have not played with the .htaccess file other than using GIJoes protector module so my understanding at this time is
limited. I hope this helps others get an idea of just what that file can do. If anyone see errors or wishes to add something
to this please do.
don (el paso)
