.htaccess
Files provide a way to make configuration changes on a per-directory basis.
1. Why/how to use .htaccess
.htaccess
Files (or "distributed configuration files") provide a way to make configuration changes on a per-directory basis. A file containing one or more configuration directives is placed in a specific documentation directory, and the directives apply to that directory and all its subdirectories.
Note: If you want to
.htaccess
call the file as another file, you can useAccessFileName
the command to change the file name. For example, if you wish to call a file.config
, you would put the following into the server configuration file:AccessFileName ".config"
Shell
Typically, .htaccess
the file uses the same syntax as the main configuration file. What can be placed in these files AllowOverride
is determined by the directive. This directive specifies in the category .htaccess
which directives found in the file will be followed. If .htaccess
a directive is allowed in a file, the documentation for that directive will contain a section that specifies the values that must be included in Override
the directive in order for the directive to be allowed.AllowOverride
2. When to use/not to use .htaccess files
Generally, files should only be used when the main server configuration file is inaccessible .htaccess
. For example, there is a common misconception that user authentication should always .htaccess
be done in a file, and in recent years another misconception is that mod_rewrite
instructions must be placed .htaccess
in a file. That's not the case at all. You can put the user authentication configuration in the main server configuration, in fact this is the preferred way of doing things. Likewise, mod_rewrite
directives work better in a master server configuration in many ways.
.htaccess
File should be used in situations where the content provider needs to make configuration changes to the server on a per-directory basis but does not have root access on the server system. If the server administrator is unwilling to make frequent configuration changes, he may want to allow individual users .htaccess
to make these changes in the files themselves. This is especially true, for example, where an ISP hosts multiple user sites on a single computer and wants its users to be able to change their configurations.
However, in general, files should be avoided whenever possible .htaccess
. .htaccess
Any configuration you consider putting into the file can <Directory>
effectively be done in sections of the main server configuration file.
There are two main reasons to avoid using .htaccess
files.
The first is performance. When AllowOverride
set to allow .htaccess
files, httpd will look for files in every directory .htaccess
. Therefore, allowing .htaccess
files results in performance degradation, regardless of whether you actually use them. Additionally, the file is loaded every time the document is requested .htaccess
.
Also note that httpd must look for files in all higher-level directories .htaccess
in order to have the full set of instructions that must be applied. Therefore, if /www/htdocs/example
a file is requested from a directory, httpd must look for the following files:
/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess
Shell
So for every file access in that directory, even if none of those files exist, there are 4 extra file system accesses. (Note that .htaccess
this only occurs if the file is /enabled, which is generally not the case.)
As with RewriteRule
the directive, in .htaccess
the context these regular expressions must be recompiled with every request to the directory, whereas in the main server configuration context they will be compiled once and cached. Additionally, the rules themselves are more complex because each directory context must be addressed and mod_rewrite
the limitations that come with it.
The second consideration is safety. You allow users to modify the server configuration, which may result in uncontrollable changes. Carefully consider whether you want to provide this permission to your users. Also note that providing users with less permissions than they need will result in additional technical support requests. Make sure you clearly tell users the level of permissions you are giving them. Specifying exactly AllowOverride
what you set up and pointing them to the relevant documentation will save you a lot of confusion later.
Note that it is exactly equivalent to placing .htaccess
the file in the directory containing the directive /www/htdocs/example
and placing the same directive in Directory
the section of the master server <Directory "/www/htdocs/example">
configuration.
.htaccess
The file is in the directory /www/htdocs/example
:
AddType text/example ".exm"
Shell
Contents of httpd.conf file -
<Directory "/www/htdocs/example">
AddType text/example ".exm"
</Directory>
Shell
However, placing this configuration in the server configuration file will result in less performance penalty because the configuration is loaded once when httpd starts, rather than every time the file is requested.
The use of the file can be completely disabled by AllowOverride
setting the directive to :none
.htaccess
AllowOverride None
Shell
3. How to apply instructions
.htaccess
Configuration directives found in a file will be applied to the directory in which the file is found and .htaccess
all its subdirectories. However, it's important to also remember that .htaccess
files may exist within the directory. Instructions are applied in the order they are found. Therefore, files in a specific directory may override instructions found in files .htaccess
higher in the directory tree . .htaccess
Those, in turn, may have been overridden by directives higher up, or within the master server configuration file itself.
Example:
In the directory /www/htdocs/example1
, there is a .htaccess
file with the following content:
Options +ExecCGI
Shell
NOTE: Required
AllowOverride Options
to allow directives.htaccess
to be used in filesOptions
.
In the directory /www/htdocs/example1/example2
, there is a .htaccess
file with the contents:
Options Includes
Shell
Since the second .htaccess
file, in the directory /www/htdocs/example1/example2
, is not allowed to execute CGI, as only Options Includes
valid, this completely overwrites any earlier settings that may already exist.
Merge .htaccess with main configuration file
.htaccess
Files can overwrite <Directory>
fragments of the corresponding directory, but will be overwritten by other types of configuration fragments in the main configuration file. Even if settings exist AllowOverride
, they can be used to enforce certain configurations. For example, to prevent the script from executing while allowing .htaccess
anything else to be set in , you could use:
<Directory "/www/htdocs">
AllowOverride All
</Directory>
<Location "/">
Options +IncludesNoExec -ExecCGI
</Location>
Shell
4. Certification Example
There is a common misconception that you need to use .htaccess
a file to implement password authentication. Placing the authentication directives <Directory>
in a section of the master server configuration file is the preferred way to achieve this, and should only be used if you do not have access to the master server configuration file .htaccess
. See above for when .htaccess
files should and should not be used.
Having said that, if you still think you need to use .htaccess
files, you may find that the following configuration may work for you.
.htaccess
document content:
AuthType Basic
AuthName "Password Required"
AuthUserFile "/www/passwords/password.file"
AuthGroupFile "/www/passwords/group.file"
Require group admins
Shell
Please note that
AllowOverride AuthConfig
must be valid for these directives to take effect.
5. Server-side include examples
.htaccess
Another common use for files is to enable server-side includes for specific directories. This can be accomplished with the following configuration directive, placed in .htaccess
a file in the required directory:
Options +Includes
AddType text/html shtml
AddHandler server-parsed shtml
Shell
Note that
AllowOverride Options
andAllowOverride FileInfo
must be valid for these instructions at the same time to be effective.
6. Rewrite rules in .htaccess files
When .htaccess
used within a file RewriteRule
, note that the context of each directory changes slightly. In particular, rules are considered relative to the current directory, not the original requested URI. Consider the following example:
# In httpd.conf
RewriteRule "^/images/(.+)\.jpg" "/images/$1.png"
# In .htaccess in root dir
RewriteRule "^images/(.+)\.jpg" "images/$1.png"
# In .htaccess in images/
RewriteRule "^(.+)\.jpg" "$1.png"
Shell
In the document directory .htaccess
, RewriteRule
remove leading slashes from the value provided, and in images
subdirectories /images/
. Therefore, the regular expression needs to omit that part as well.
7. CGI Examples
Finally, you may want to use .htaccess
a file to allow execution of CGI programs in specific directories. This can be achieved with the following configuration:
Options +ExecCGI
AddHandler cgi-script cgi pl
Shell
Alternatively, if you want all files in a given directory to be considered CGI programs, this might be achieved with the following configuration:
Options +ExecCGI
SetHandler cgi-script
Shell
Please note that AllowOverride Options
and AllowOverride FileInfo
must be in effect for these directives at the same time to be effective.