.htaccess files are used as configuration files for sites running on an Apache web server. If running a PHP application, some useful htaccess configuration code snippets can be seen below.
To set PHP values, you can use php_value
followed by the directive and the value. For example, PHP 5 values can be added within the mod_php5
nodes.
<IfModule mod_php5.c>
php_value memory_limit 512M
php_value upload_max_filesize 32M
</IfModule>
To route all requests through through an index.php file, ensure that mod_rewrite
is enabled and add the following rewrite rule.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php/$1?%{QUERY_STRING} [L]
</IfModule>
If running a live application, you may wish to redirect users to the www
subdomain and possibly using https
, should you have a valid SSL certificate installed. Again, this snippet will only work is mod_rewrite is enabled.
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
Gzip compression compresses your web pages and stylesheets before sending them over to the browser, which improves page speed performance.
Enabling Gzip compression can be done by adding the following code, and will only work if the mod_deflate
module is enabled.
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>
Leveraging browser caching so that your static resources are cached in the user’s browser can aid website performance. The code below requires the mod_expires
module.
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 1 seconds"
ExpiresByType image/x-icon "access plus 2592000 seconds"
ExpiresByType image/gif "access plus 2592000 seconds"
ExpiresByType image/jpeg "access plus 2592000 seconds"
ExpiresByType image/png "access plus 2592000 seconds"
ExpiresByType text/css "access plus 604800 seconds"
ExpiresByType text/javascript "access plus 86400 seconds"
ExpiresByType application/x-javascript "access plus 86400 seconds"
</IfModule>
To deny users access to your website, but allow a selected list of IP addresses access, use the deny
and allow
keywords.
For example, in Apache 2.2, if you wanted to deny all users access, except users visiting from an IP of 1.2.3.4
, you could write the following:
Order deny,allow
Deny from all
Allow from 1.2.3.4
For Apache 2.4, the syntax is slightly different.
# Require all denied
# Require ip 1.2.3.4
If you would rather password protect the website, this can be achieved by creating a .htpasswd
file on the server, preferably outside of the document root, and adding the following configuration:
AuthType Basic
AuthName "Authentication required"
AuthUserFile /home/user/.htpasswd
Require valid-user
The .htpasswd
contains the username and the hashed password on a single line. It might look similar to the below.
admin:$apr1$xo.YhGaq$ifuFi9Rz25njt43ICElN3R2Cos.
You can also deny access to particular files, such as .htaccess
and .gitignore
files.
<Files .gitignore>
order allow,deny
deny from all
</Files>
<Files .htaccess>
order allow,deny
deny from all
</Files>
<Files composer.json>
order allow,deny
deny from all
</Files>
<Files composer.lock>
order allow,deny
deny from all
</Files>
To protect certain directories, the directories themselves will usually have their own .htaccess
that contains the deny
code.
Order deny,allow
Deny from all
To configure custom error pages, use the ErrorDocument
keyword, followed by the error code and the link to the page. Alternatively, you can pass in text or HTML rather than a link to the page.
ErrorDocument 500 /errors/404.php
ErrorDocument 404 "Oops, that page was <strong>not found</strong>"