htaccess-file example

# Place a .htaccess file in each directory you want to protect.
########################################################################
#                    SECURITY / ACCESS CONTROL                         #
# If the web server's AllowOverride allows AUTHCONFIG to be overridden #
########################################################################
#
# Save both .htpasswd and .htgroup files in a directory above "documentroot" directory
# (e.g. not in or below /apache/htdocs) but could be below "serverroot" directory
# (e.g. below /apache).

# This will pop-up a user/password dialog box saying Realm = 
AuthName "Restricted Area"

# AuthType is normally basic.  Not very secure until "Digest" type becomes prevalent
AuthType basic

# If value of AuthUserFile doesn't begin with a slash, it is treated as
# relative to the ServerRoot (not DocumentRoot!)
AuthUserFile "/userhome/blahBlah/.htpasswd"
AuthGroupFile "/userhome/blahBlah/.htgroup"

# Each line of the user file contains a username followed by a colon, followed by the crypt()
# encrypted password. The behavior of multiple occurrences of the same user is undefined. 
# You can generate a password file on your system by typing commands on the OS prompt as follows:
#    htpasswd -c Filename username     # Creates a password file 'Filename' with 'username'
#                                      # as the first user. It will prompt for the new password.
#    htpasswd Filename username2       # Adds or modifies in password file 'Filename' the 'username2'. 
#
# Each line of the group file contains a groupname followed by a colon, followed by 
# the member usernames separated by spaces. For example, put this on one line in the .htgroup file:
# mygroup: bob joe anne

# This set to off will forward a not-found userid to the next-in-line module for authentication.
# 'On' is the default It is better that way.
#AuthAuthoritative off

# Now, we allow specific users or groups to get in.
# require user joe john mary
require valid-user
require group family friends

# More Authentication related, rarely used 
# AuthDBGroupFile 
# AuthDBUserFile 
# AuthDBAuthoritative 
# AuthDBMGroupFile 
# AuthDBMUserFile 
# AuthDBMAuthoritative 
# AuthDigestFile 
# AuthDigestGroupFile 
# AuthDigestQop 
# AuthDigestNonceLifetime 
# AuthDigestNonceFormat 
# AuthDigestNcCheck 
# AuthDigestAlgorithm 
# AuthDigestDomain 
# Using Digest Authentication

###############################################################################
# From here on, if something is not working as you might expect, try to make sure that 
# the corresponding AllowOverride is enabled in ,  or  sections
# of server configuarion files (generally httpd.conf, can be access.conf or srm.conf).
# Allowoverride could be:
# 1. AuthConfig (allows AuthName, AuthUserFile, require etc. in .htaccess file)
# 2. FileInfo (allows AddType, DefaultType, ErrorDocument etc. in .htaccess file) 
# 3. Indexes (allows DirectoryIndex, FancyIndexing, IndexOptions etc. in .htaccess file) 
# 4. Limit (allows use of allow, deny and order directives which control access by host)
# 5. Options (allows use of options directive in .htaccess file - see below)
# 6. All (allows all of the above in .htaccess file.  Rare)
# 7. None (allows none of the above in .htaccess file.  Rare)
# Usually, AuthConfig is allowed.  Rest is up to the particular web host company.
#
# If you get server errors after putting this file in, try disabling
# each section below one-by-one to see what your web hosting company
# allows (or you can ask them 🙂
###############################################################################

######################################################################
# If the web server's AllowOverride allows FILEINFO to be overridden #
######################################################################
# CookieTracking, AddType, DefaultType, AddHandler, Action, ErrorDocument
# Redirect, Redirectmatch, RedirectPermanent, RedirectTemp
# AddEncoding, AddCharset, AddLanguage, LanguagePriority, DefaultLanguage

#### Comment it out if UserTrack module is not loaded in the server
#CookieName "woiqatty"
#CookieTracking on

# Tweak mime.types without actually editing it, or make certain files to be certain types.
#AddType application/x-httpd-php3 .phtml
AddType application/x-httpd-php3 .php
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source .phps
AddType application/x-tar .tgz

# In this directory, default filetype is this one if Server cannot
# otherwise determine from filename extensions.
# Mostly text or HTML - "text/plain", gif images - "image/gif", 
# compiled porgrams - "application/octet-stream"
DefaultType text/plain
# DefaultType image/gif
# DefaultType  application/octet-stream

################### THIS IS IMPORTANT! #####################
# AddHandler allows you to map certain file extensions to "handlers",
# actions unrelated to filetype. These can be either built into the server
# or added with the Action command (see below).
# If you want to use server side includes, or CGI outside
# ScriptAliased directories, uncomment the following lines.

# To use CGI scripts:
AddHandler cgi-script cgi pl

# To use server-parsed HTML files
AddType text/html .shtml
AddHandler server-parsed .shtml

# Example of a file whose contents are sent as is so as to tell the client that a file has redirected. 
#
# Server always adds a Date: and Server: header to the data returned to the client, 
# so don't include these in the file.
#AddHandler send-as-is asis

# If you wish to use server-parsed imagemap files, use
AddHandler imap-file map

# For content negotiation use
#AddHandler type-map var

# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
# pathnames for oft-used CGI file processors.
# Format: Action action-type cgi-script
# Format: Action media/type /cgi-script/location
# Format: Action handler-name /cgi-script/location
#Action cgi-script /cgi-bin/default.cgi

# Redirect [status] ABSOLUTE-path-of-old-url new-url.  Default status is temp.
# Status is one of permanent (returns 301), temp (returns 302), 
# seeother (returns 303, see other document in same place), 
# gone (returns 410, no longer available at all) - Don't specify new-URL
# Here, if the client requests http://myserver/service/foo.txt, it will be told 
# to access http://foo2.bar.com/service/foo.txt instead. 
#Redirect /service http://foo2.bar.com/service
# Customizable error response.  Three styles:
# 1. Plain Text - the (") marks it as text, it does not get output
#ErrorDocument 500 "The server made a boo boo.
# 2. Local Redirects - e.g. To redirect to local URL /missing.html
#ErrorDocument 404 /missing.html
#ErrorDocument 404 /cgi-bin/missing_handler.pl
# 3. External Redirects (All env. variables don't go to the redirected location)
#ErrorDocument 402 http://some.other_server.com/subscription_info.html

# Mosaic/X 2.1+ browsers can uncompress information on the fly
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz

#Content negotiation directives
#AddLanguage fr .fr
# Just list the languages in decreasing order of preference.
LanguagePriority en fr it

######################################################################
# If the web server's AllowOverride allows INDEXES to be overridden  #
######################################################################
# DirectoryIndex, ExpiresActive, ExpiresByType, ExpiresDefault
# ImapBase, ImapDefault, ImapMenu
# FancyIndexing, IndexOptions, IndexOrderDefault, IndexIgnore, HeaderName, ReadmeName
# AddDescription, AddAlt, AddAltByEncoding, AddAltByType
# AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon

# Default file to send to the client if none specified.  
# Separate multiple entries with spaces.
# If none of these files exists in a directory, a directory listing may
# be returned depending on Options Indexes setting.
DirectoryIndex index.html index.htm index.shtml index.php index.php3 index.pl index.cgi /cgi-bin/index.cgi

# Must enable expirations to use other expire directives
#ExpiresActive on
# 'M' means that the file's last modification time should be used as the base time
# 'A' means the client's access time should be used as base time
#ExpiresDefault M604800
# Expire GIF images after a month in the client's cache
#ExpiresByType image/gif A2592000  
# HTML documents are good for a week from the time they were changed, period     
#ExpiresByType text/html M604800  
#ExpiresByType text/html "access plus 1 month 15 days 2 hours" 
#ExpiresDefault "modification plus 5 hours 3 minutes" 
#ExpiresByType text/html "now plus 1 month 15 days 2 hours"

# ImapMenu can be none, formatted, semiformatted, unformatted
ImapMenu semiformatted
# ImapDefault can be error, nocontent, map, referer, or some useful URL.
#  The .map file overrides this.
ImapDefault map
# ImapBase can be map, referer, URL.  The .map file overrides this.
ImapBase referer

############## THIS HERE IS NOT TOO IMPORTANT! ###################
# Apache version dependent.  If Options indexes is allowed, Server will behave as follows:
#IndexOptions FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=*
#IndexOptions FancyIndexing NameWidth=*
#IndexOptions +IconHeight=20 +IconWidth=20 +IconsAreLinks
#IndexOptions +ScanHTMLTitles
#IndexOptions +SuppressColumnSorting 
#IndexOptions +SuppressDescription 
#IndexOptions +SuppressLastModified 
#IndexOptions +SuppressSize 
#IndexOptions SuppressHTMLPreamble
# Sort by Name, Date, Size, or Description? Default is name.
#IndexOrderDefault Ascending Name
# Don't list these files
#IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

# Server .conf should already have set these up.  You should only set
# the missing ones in .htaccess files (if you ever find out)
#AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
#AddIconByType (TXT,/icons/text.gif) text/*
#AddIconByType (IMG,/icons/image2.gif) image/*
#AddIcon /icons/binary.gif .bin .exe
#AddIcon /icons/text.gif .txt
#AddIcon /icons/uuencoded.gif .uu
#AddIcon /icons/hand.right.gif README
#AddIcon /icons/folder.gif ^^DIRECTORY^^
#AddIcon /icons/blank.gif ^^BLANKICON^^
# If no file type matches..
#DefaultIcon /icons/unknown.gif
#AddDescription "GZIP compressed document" .gz
AddDescription "Java class file" .class
AddDescription "Java source file" .java
AddDescription "Java Server Pages source file" .jsp
# Server writes the contents of HeaderName file before the directory listing by adding .html or .txt to the specified name.
# Server writes the contents of ReadmeName after the directory listing.
# The server looks for the-specified-name.html, then the-specified-name.txt
ReadmeName README
HeaderName HEADER
############## END OF NOT-TOO-IMPORTANT ###################

######################################################################
# If the web server's AllowOverride allows LIMIT to be overridden    #
######################################################################
# order, allow from, deny from, allow from env, deny from env

# Controls which domain name or computer host client can get stuff from this server.  
# No space between allow and deny in order (just comma).  allow from all is default
#order allow,deny
#deny from all
#deny from www.yahoo.com
#allow from www.yahoo.com
# The allow from env directive controls access to a directory by the existence
# (or non-existence) of an environment variable. Example: 
# BrowserMatch ^KnockKnock/2.0 let_me_in
# 
#     order deny,allow
#     deny from all
#     allow from env=let_me_in
# 
######################################################################
# If the web server's AllowOverride allows OPTIONS to be overridden  #
######################################################################
# Options, XBitHack, CheckSpelling, Example - in order of importance

# Options:
# ExecCGI - Execution of CGI scripts is permitted
# FollowSymLinks - Server will follow symbolic links in this directory
# SymLinksIfOwnerMatch - Server follows sym links if target file/dir owned by the same user id as the link
# Includes - Server-side includes are permitted
# IncludesNOEXEC - Server-side includes permitted, #exec and #include of CGI scripts are disabled
# Indexes - Lists directory if no index file is found
# MultiViews - Content negotiated MultiViews are allowed. 
# Note that "MultiViews" must be named *explicitly* --- "Options All" doesn't give it to you.
# This here resets any previous settings
# Options IncludesNOEXEC MultiViews
Options Includes MultiViews
# Or, add/subtract from prior options
#Options +Indexes -Includes
# To disable execution of SSI and CGI in this directory
#Options -Includes -IncludesNOEXEC -ExecCGI

# Checks "user" execute permission on file.  If yes, executes it as SSI.
# Then, no need for special file extension .shtml
XBitHack on

# Matches document(s) if maximum one spelling mistake
# CheckSpelling  on

#Example directive is Apache API related for Apache programmers

######################################################################
# The following do not depend on AllowOverride setting at all        #
# These are either always available or need a loaded module          #
######################################################################
# Generally available:
# Satisfy, ServerSignature, LimitRequestBody
#  ... ,  ... 
#  ... ,  ... 
#  ... ,  ... 
# ForceType, SetHandler, RemoveHandler, AddDefaultCharset
# Optionally installed modules:
# CookieName, Header

# Satisfy any is used to password restrict an area, but to let clients from particular
# addresses as defined in 'allow from' to get in without prompting for a password. Default is "all"
#Satisfy any

# Access control by file name in a directory where .htaccess file is placed:
# The following lines prevent .htaccess files from being viewed by
# Web clients.  Since .htaccess files often contain authorization
# information, access is disallowed for security reasons.  Comment
# these lines out if you want Web visitors to see the contents of
# .htaccess files.  If you change the AccessFileName directive above,
# be sure to make the corresponding changes here.

    order allow,deny
    deny from all

# Can use reg exp  instead of line below.
#
#       order allow,deny
#       allow from all
#

# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
#ServerSignature On
#ServerSignature EMail

# Specify cookie name to be used if CookieTracking is set to on.  Needs mod_usertrack installed.
# I specify this up in FileInfo overriding
# CookieName "woiqatty"

# To control denial-of-service attacks
LimitRequestBody 3000000

# For documents served through this directory, modify headers as follows:
# Can also be set, add.  Mod_header not generally available.
#Header append Author "V. Singla"   
#Header unset Author

################# For Apache Windows version only ######################

# use this to specify whether Apache should search windows registry
# or the #! line of the called script itself for interpreter name and location.
#ScriptInterpreterSource script
# Tries to match the called file's extension in registry (e.g. search registry for .pl or .cgi)
#ScriptInterpreterSource registry

############ END OF .htaccess FILE #############



.htaccess examples
Advertisements

One thought on “htaccess-file example

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s