Useful htaccess Configuration

22nd July 2017

.htaccess files are used as configuration files for sites running on an Apache web server. If running a PHP application, some useful htaccess configuration code snippets can be seen below.

To set PHP values, you can use php_value followed by the directive and the value. For example, PHP 5 values can be added within the mod_php5 nodes.

<IfModule mod_php5.c>
    php_value memory_limit 512M
    php_value upload_max_filesize 32M
</IfModule>

To route all requests through through an index.php file, ensure that mod_rewrite is enabled and add the following rewrite rule.

<IfModule mod_rewrite.c>
    RewriteEngine on

    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php/$1?%{QUERY_STRING} [L]
</IfModule>

If running a live application, you may wish to redirect users to the www subdomain and possibly using https, should you have a valid SSL certificate installed. Again, this snippet will only work is mod_rewrite is enabled.

<IfModule mod_rewrite.c>
    RewriteCond %{HTTPS} off

    # First rewrite to HTTPS:
    RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Now, rewrite any request to the wrong domain to use www.

    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Gzip compression compresses your web pages and stylesheets before sending them over to the browser, which improves page speed performance.

Enabling Gzip compression can be done by adding the following code, and will only work if the mod_deflate module is enabled.

<IfModule mod_deflate.c>
  # Compress HTML, CSS, JavaScript, Text, XML and fonts
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml

  # Remove browser bugs (only needed for really old browsers)
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  Header append Vary User-Agent
</IfModule>

Leveraging browser caching so that your static resources are cached in the user’s browser can aid website performance. The code below requires the mod_expires module.

<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 1 seconds"
  ExpiresByType text/html "access plus 1 seconds"
  ExpiresByType image/x-icon "access plus 2592000 seconds"
  ExpiresByType image/gif "access plus 2592000 seconds"
  ExpiresByType image/jpeg "access plus 2592000 seconds"
  ExpiresByType image/png "access plus 2592000 seconds"
  ExpiresByType text/css "access plus 604800 seconds"
  ExpiresByType text/javascript "access plus 86400 seconds"
  ExpiresByType application/x-javascript "access plus 86400 seconds"
</IfModule>

To deny users access to your website, but allow a selected list of IP addresses access, use the deny and allow keywords.

For example, in Apache 2.2, if you wanted to deny all users access, except users visiting from an IP of 1.2.3.4, you could write the following:

Order deny,allow
Deny from all
Allow from 1.2.3.4

For Apache 2.4, the syntax is slightly different.

# Require all denied
# Require ip 1.2.3.4

If you would rather password protect the website, this can be achieved by creating a .htpasswd file on the server, preferably outside of the document root, and adding the following configuration:

AuthType Basic
AuthName "Authentication required"
AuthUserFile /home/user/.htpasswd
Require valid-user

The .htpasswd contains the username and the hashed password on a single line. It might look similar to the below.

admin:$apr1$xo.YhGaq$ifuFi9Rz25njt43ICElN3R2Cos.

You can also deny access to particular files, such as .htaccess and .gitignore files.

<Files .gitignore>
    order allow,deny
    deny from all
</Files>
<Files .htaccess>
    order allow,deny
    deny from all
</Files> 
<Files composer.json>
    order allow,deny
    deny from all
</Files>
<Files composer.lock>
    order allow,deny
    deny from all
</Files>

To protect certain directories, the directories themselves will usually have their own .htaccess that contains the deny code.

Order deny,allow
Deny from all

To configure custom error pages, use the ErrorDocument keyword, followed by the error code and the link to the page. Alternatively, you can pass in text or HTML rather than a link to the page.

ErrorDocument 500 /errors/404.php
ErrorDocument 404 "Oops, that page was <strong>not found</strong>"