Using .htaccess files with Apache

by Mike on December 14, 2008 · 2 comments

in Web Server

The .htaccess file allows you to create configuration changes based on individual directories.  To do this you place the hidden .htaccess file in a directory to be read by Apache.  You can change the name of the .htaccess file by making a change to the directive AccessFileName, change it like this:

AccessFileName .htcontrol

The information that you place in these files is determined by the AllowOverride directive.  The AllowOverride will determine if a directive will be available if it is placed in the .htaccess file.  The significance of this is that the overall configuration and security of Apache is controlled by the main config file, httpd.conf(CentOS) or apache2.conf(Ubuntu).

Typically the only situation that you would use the .htaccess file for is when a web hosting company needs to make configuration changes based on individual directories.  This then allows individual users to make changes to those directories.  Instead of using .htaccess files you could place these settings in a <Directory> secion in the main configuration file.

Here is an example of placing information that was to be placed in a .htaccess file in a <Directory> location.

<Directory /var/www/html>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
</Directory>

A perfromance loss is created when you .htaccess files because Apache must look in every directory for any additional .htaccess files.  In addition, the .htaccess file is loaded every time the document is loaded…another major performance loss.  To make matters even worse is that then Apache must also look in higher level directories to verify there are not .htaccess files there as well.

In summary, if you use .htaccess files you will incur 4 additional file-system accesses even if those files are not present.

Another issue is that if you use .htaccess files you are allowing individuals to make decisions on the server configuration.  Their decisions may not be in the best interest of the server as a whole.

The .htaccess file can be completely disabled by using

AllowOverride None

Here is the default on the httpd.conf for CentOS

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

When you set up .htaccess files they will be effective for the directory that they are placed in as well as any subdirectories.  If you wanted to set up a direcotory so that it could execute CGI scripts you could use a .htaccess file to do that.  First you must make the default settings so that if will permit Options for the .htaccess files, like so:

<Directory />
Options FollowSymLinks
AllowOverride Options
</Directory>

So here the “None” was changed to “Options”.

Now in the .htaccess file you can place a line like this:

Options +ExecCGI

If you wanted to use .htaccess files to allow access you need to first change the default “None” to “AuthConfig”.

<Directory />
Options FollowSymLinks
AllowOverride AuthConfig
</Directory>

Now in the .htaccess file you can place your configuration for authentication.

AuthType Basic
AuthName “Security”
AuthUserFile /etc/httpd/passwords
Require valid-userSave this .htaccess file to the directory above the one you want to protect.

This will require you to use htpasswd to create the file /etc/httpd/passwords to control the .htaccess file.  If you do not have access to the /etc/httpd file you will need to change the configuration in the .htaccess file and  create a .htpasswd file like so:

AuthType Basic
AuthName “Security”
AuthUserFile /path/to/your/directory/.htpasswd
Require valid-user

htpasswd -c .htaccess

chmod 644 .htaccess

Here is an example of a typical Joomla .htaccess file:

RewriteEngine On

########## Begin – Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End – Rewrite rules to block out some common exploits

#  Uncomment following line if your webserver’s URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)

# RewriteBase /

########## Begin – Joomla! core SEF Section
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
RewriteRule (.*) index.php
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End – Joomla! core SEF Section

{ 1 comment }

URL Directory December 16, 2008 at 5:39 pm

well i never understood this whole thing.

{ 1 trackback }

Previous post:

Next post: