.htaccess in Detail

What is .htacces file?

.htaccess are files (or “distributed configuration files”) which provide a way to make configuration changes on a per-directory basis.

With the use of .htaccess file we can acheive the  below tasks.
make password product, redirect, script enable, index listing, index file.

Is it safe?

There are two main reasons to avoid the use of .htaccess files.

The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, Apache will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.

Further note that Apache must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. (See section on how directives are applied.) Thus, if a file is requested out of a directory /www/htdocs/example, Apache must look for the following files:


And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present. (Note that this would only be the case if .htaccess files were enabled for /, which is not usually the case.)

The second consideration is one of security. You are permitting users to modify server configuration, which may result in changes over which you have no control. Carefully consider whether you want to give your users this privilege. Note also that giving users less privileges than they need will lead to additional technical support requests. Make sure you clearly tell your users what level of privileges you have given them. Specifying exactly what you have set AllowOverride to, and pointing them to the relevant documentation, will save yourself a lot of confusion later.

To enable .htaccess, change the AllowOverride option in the apache conf file accordingly

AllowOverride All

Instead of All we can give Options FileInfo, AuthConfig, Limit and None

The default filename is .htaccess. If we want to change change in the apache httpd.conf file as below.

AccessFileName .config

If you changed the above settings .htaccess enabled. So now place a file with name .htaccess (or any given name) in the web server root directory.

Before processing that directory apache will look for a file named .htaccess there before doing any processing. If parent directory  and sub directory contains same configuration info for sub directory sub directory configuration will be taken.

Useful commands

If file not found error occurred in the directory we can set the default error page to something.

ErrorDocument 404 /404.html

As mentioned above we can apply the same concept for other error codes also. For example 500 for internal server error, 403 for access denied.

To disable directory indexes inside the directory add below line to .htaccess file

 Options -Indexes

To allow particulat ip address add below code

allow from

[ Range can also possible like, ]

To deny particular ip address

deny from

[ Range can also possible like, ]

To deny from all

deny from all

To specify index file for each folder

DirectoryIndex index.html index.jsp index.php

Apache will look from left to right, So if index.html not found it will look for index.jsp then index.php

Also we can redirect a particular directory or particular file to another path/file in the same server or on any other server. See below

To Redirect file/path

 Redirect /path/file /newpath/file
Redirect /file http://www.google.com

While doing redirect the additional info in the path will be kept as it is. For example after Redirect /test http://www.google.com/test  if we type www.oldurl.com/test/filepath/file.png  it will go to www.google.com/test/filepath/file.png

To protect a directory with password add below code

AuthName "Name to display while prompting password"
AuthType Basic
AuthUserFile "/full/path/to/.htpasswd"
Require valid-user

To add the password and user details to .htpasswd file use the htpasswd command as below.

htpasswd -mc /full/path/to/.htpasswd username

To access the path via script directly with password try with http://rajesh:rajesh123@localhost/test

Find the options available with htpasswd command to create password below.

htpasswd [ -c ] [ -m ] [ -D ] passwdfile username
htpasswd -b [ -c ] [ -m | -d | -p | -s ] [ -D ] passwdfile username password
htpasswd -n [ -m | -d | -s | -p ] username
htpasswd -nb [ -m | -d | -s | -p ] username password

-b    Use batch mode; i.e., get the password from the command line rather than prompting for it. This option should be used with extreme care, since the password is clearly visible on the command line.

-c    Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.

-n    Display the results on standard output rather than updating a file. This is useful for generating password records acceptable to Apache for inclusion in non-text data stores. This option changes the syntax of the command line, since the passwdfile argument (usually the first one) is omitted. It cannot be combined with the -c option.

-m    Use MD5 encryption for passwords. This is the default (since version 2.2.18).

-d    Use crypt() encryption for passwords. This is not supported by the httpd server on Windows and Netware and TPF. This algorithm limits the password length to 8 characters. This algorithm is insecure by today’s standards. It used to be the default algorithm until version 2.2.17.

-s    Use SHA encryption for passwords. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif).

-p    Use plaintext passwords. Though htpasswd will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows, Netware and TPF.

-D    Delete user. If the username exists in the specified htpasswd file, it will be deleted.

passwdfile    Name of the file to contain the user name and password. If -c is given, this file is created if it does not already exist, or rewritten and truncated if it does exist.

username    The username to create or update in passwdfile. If username does not exist in this file, an entry is added. If it does exist, the password is changed.

password    The plaintext password to be encrypted and stored in the file. Only used with the -b flag.

This entry was posted in .htaccess and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.