{"id":4393,"date":"2015-03-17T20:51:04","date_gmt":"2015-03-17T12:51:04","guid":{"rendered":"http:\/\/rmohan.com\/?p=4393"},"modified":"2015-03-17T22:45:10","modified_gmt":"2015-03-17T14:45:10","slug":"htaccess-or-mod_rewrite-encyclopedia","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=4393","title":{"rendered":".htaccess or mod_rewrite encyclopedia"},"content":{"rendered":"

.htaccess or mod_rewrite encyclopedia
\ncollected here are a variety of practical .htaccess snippets, you can think of the use of almost all here.<\/p>\n

Disclaimer : Although these snippets directly copied to your .htaccess file, the vast majority of cases are easy to use, but there are very few cases where you need to modify some of the job. At your own risk.<\/p>\n

IMPORTANT NOTE : Apache 2.4 is not compatible changes, especially in terms of access to configuration control. For more information, please refer to this updated document and article .<\/p>\n

Table of Contents<\/p>\n

Again and redirection
\nForced www
\nWww mandatory general method
\nForced non-www
\nForced non-www common method
\nForced HTTPS
\nBy forcing HTTPS proxy
\nAdd a slash at the end of compulsory
\nRemove trailing slashes
\nRedirect to a page
\nDirectory alias
\nScript aliases
\nRedirect the entire site
\nClean URL
\nSecurity
\nDeny all access
\nDeny all access (excluding section)
\nShield reptile \/ malicious access
\nHidden files and directories
\nProtect the backup files and source code files
\nBan directory browsing
\nProhibit pictures Daolian
\nProhibit pictures hotlinking (specify name)
\nPassword Protected Directories
\nPassword-protected files
\nVisitor Referrer filtered through
\nPrevent nesting other pages
\nPerformance
\nArchive
\nSet an expiration header
\nClose eTags logo
\nOther
\nSetting up a PHP variable
\nCustom Error Pages
\nForced Download
\nBlocking the download
\nRun cross-domain font reference
\nAuto UTF-8 Encode
\nSwitching PHP version
\nProhibit IE Compatibility View
\nSupports WebP image format
\nAgain and redirection<\/p>\n

Note: you first need to install and enable server mod_rewrite module.<\/p>\n

Forced www<\/p>\n

RewriteEngine on
\nRewriteCond %{HTTP_HOST} ^example\\.com [NC]
\nRewriteRule ^(.*)$ http:\/\/www.example.com\/$1 [L,R=301,NC]<\/p>\n

Www mandatory general method<\/p>\n

RewriteCond %{HTTP_HOST} !^$
\nRewriteCond %{HTTP_HOST} !^www\\. [NC]
\nRewriteCond %{HTTPS}s ^on(s)|
\nRewriteRule ^ http%1:\/\/www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
\nThis method can be used at any site.<\/p>\n

Forced non-www<\/p>\n

WWW what is good, or non-www good, no conclusion, if you like without the www, you can use the following script:<\/p>\n

RewriteEngine on
\nRewriteCond %{HTTP_HOST} ^www\\.example\\.com [NC]
\nRewriteRule ^(.*)$ http:\/\/example.com\/$1 [L,R=301]<\/p>\n

Forced non-www common method<\/p>\n

RewriteEngine on
\nRewriteCond %{HTTP_HOST} ^www\\.
\nRewriteCond %{HTTPS}s ^on(s)|off
\nRewriteCond http%1:\/\/%{HTTP_HOST} ^(https?:\/\/)(www\\.)?(.+)$
\nRewriteRule ^ %1%3%{REQUEST_URI} [R=301,L]<\/p>\n

Forced HTTPS<\/p>\n

RewriteEngine on
\nRewriteCond %{HTTPS} !on
\nRewriteRule (.*) https:\/\/%{HTTP_HOST}%{REQUEST_URI}<\/p>\n

# Note: It’s also recommended to enable HTTP Strict Transport Security (HSTS)
\n# on your HTTPS website to help prevent man-in-the-middle attacks.
\n# See https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/HTTP_strict_transport_security
\n<IfModule mod_headers.c>
\nHeader always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
\n<\/IfModule>
\nBy forcing HTTPS proxy<\/p>\n

If you use a proxy, this method is useful for you.<\/p>\n

RewriteCond %{HTTP:X-Forwarded-Proto} !https
\nRewriteRule (.*) https:\/\/%{HTTP_HOST}%{REQUEST_URI}
\nAdd a slash at the end of compulsory<\/p>\n

RewriteCond %{REQUEST_URI} \/+[^\\.]+$
\nRewriteRule ^(.+[^\/])$ %{REQUEST_URI}\/ [R=301,L]<\/p>\n

Remove trailing slashes<\/p>\n

RewriteCond %{REQUEST_FILENAME} !-d
\nRewriteRule ^(.*)\/$ \/$1 [R=301,L]<\/p>\n

Redirect to a page<\/p>\n

Redirect 301 \/oldpage.html http:\/\/www.example.com\/newpage.html
\nRedirect 301 \/oldpage2.html http:\/\/www.example.com\/folder\/
\nSource<\/p>\n

Directory alias<\/p>\n

RewriteEngine On
\nRewriteRule ^source-directory\/(.*) target-directory\/$1
\nScript aliases<\/p>\n

FallbackResource \/index.fcgi
\nThis example has an index.fcgi file in some directory, and any requests within that directory that fail to
\nresolve a filename\/directory will be sent to the index.fcgi script.
\nIt\u2019s good if you want baz.foo\/some\/cool\/path to be handled by baz.foo\/index.fcgi (which also supports requests to baz.foo)
\nwhile maintaining baz.foo\/css\/style.css and the like. Get access to the original path from the PATH_INFO environment variable,
\nas exposed to your scripting environment.<\/p>\n

RewriteEngine On
\nRewriteRule ^$ index.fcgi\/ [QSA,L]
\nRewriteCond %{REQUEST_FILENAME} !-f
\nRewriteCond %{REQUEST_FILENAME} !-d
\nRewriteRule ^(.*)$ index.fcgi\/$1 [QSA,L]
\nThis is a less efficient version of the FallbackResource directive (because using mod_rewrite is more complex than just handling the FallbackResource directive), but it\u2019s also more flexible.<\/p>\n

Redirect the entire site<\/p>\n

Redirect 301 \/ http:\/\/newsite.com\/
\nThis way does it with links intact. That is www.oldsite.com\/some\/crazy\/link.html will become
\nwww.newsite.com\/some\/crazy\/link.html. This is extremely helpful when you are just \u201cmoving\u201d a site to a new domain. Source<\/p>\n

Clean URL<\/p>\n

This snippet lets you use \u201cclean\u201d URLs \u2014 those without a PHP extension, e.g.
\nexample.com\/users instead of example.com\/users.php.
\nRewriteEngine On
\nRewriteCond %{SCRIPT_FILENAME} !-d
\nRewriteRule ^([^.]+)$ $1.php [NC,L]
\nSource<\/p>\n

Security<\/p>\n

Deny all access<\/p>\n

## Apache 2.2
\nDeny from all<\/p>\n

## Apache 2.4
\n# Require all denied<\/p>\n

But wait, this will lock you out from your content as well! Thus introducing\u2026
\nDeny all access (excluding section)<\/p>\n

## Apache 2.2
\nOrder deny,allow
\nDeny from all
\nAllow from xxx.xxx.xxx.xxx<\/p>\n

## Apache 2.4
\n# Require all denied
\n# Require ip xxx.xxx.xxx.xxx<\/p>\n

xxx.xxx.xxx.xxx is your IP. If you replace the last three digits with 0\/12 for example, this will specify a range of IPs within the same network, thus saving you the trouble to list all allowed IPs separately.<\/p>\n

Source<\/p>\n

Now of course there\u2019s a reversed version:<\/p>\n

Shield reptile \/ malicious access
\n## Apache 2.2
\nOrder deny,allow
\nAllow from all
\nDeny from xxx.xxx.xxx.xxx
\nDeny from xxx.xxx.xxx.xxy<\/p>\n

## Apache 2.4
\n# Require all granted
\n# Require not ip xxx.xxx.xxx.xxx
\n# Require not ip xxx.xxx.xxx.xxy<\/p>\n

Hidden files and directories<\/p>\n

Hidden files and directories (those whose names start with a dot .) should most, if not all, of the time be secured. For example: .htaccess, .htpasswd, .git, .hg\u2026<\/p>\n

RewriteCond %{SCRIPT_FILENAME} -d [OR]
\nRewriteCond %{SCRIPT_FILENAME} -f
\nRewriteRule “(^|\/)\\.” – [F]
\nAlternatively, you can just raise a Not Found error, giving the attacker dude no clue:<\/p>\n

RedirectMatch 404 \/\\..*$
\nProtect the backup files and source code files<\/p>\n

These files may be left by some text\/html editors (like Vi\/Vim) and pose a great security danger if exposed to public.<\/p>\n

<FilesMatch “(\\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$”>
\n## Apache 2.2
\nOrder allow,deny
\nDeny from all
\nSatisfy All<\/p>\n

## Apache 2.4
\n# Require all denied
\n<\/FilesMatch>
\nSource<\/p>\n

Ban directory browsing
\nOptions All -Indexes
\nProhibit pictures Daolian<\/p>\n

RewriteEngine on
\n# Remove the following line if you want to block blank referrer too
\nRewriteCond %{HTTP_REFERER} !^$<\/p>\n

RewriteCond %{HTTP_REFERER} !^http(s)?:\/\/(.+\\.)?example.com [NC]
\nRewriteRule \\.(jpg|jpeg|png|gif|bmp)$ – [NC,F,L]<\/p>\n

# If you want to display a “blocked” banner in place of the hotlinked image,
\n# replace the above rule with:
\n# RewriteRule \\.(jpg|jpeg|png|gif|bmp) http:\/\/example.com\/blocked.png [R,L]
\nProhibit pictures hotlinking (specify name)<\/p>\n

Sometimes you want to from some bad guys only.<\/p>\n

RewriteEngine on
\nRewriteCond %{HTTP_REFERER} ^http(s)?:\/\/(.+\\.)?badsite\\.com [NC,OR]
\nRewriteCond %{HTTP_REFERER} ^http(s)?:\/\/(.+\\.)?badsite2\\.com [NC,OR]
\nRewriteRule \\.(jpg|jpeg|png|gif)$ – [NC,F,L]<\/p>\n

# If you want to display a “blocked” banner in place of the hotlinked image,
\n# replace the above rule with:
\n# RewriteRule \\.(jpg|jpeg|png|gif|bmp) http:\/\/example.com\/blocked.png [R,L]<\/p>\n

Password Protected Directories<\/p>\n

First you need to create a .htpasswd file somewhere in the system:<\/p>\n

htpasswd -c \/home\/fellowship\/.htpasswd boromir
\nThen you can use it for authentication:<\/p>\n

AuthType Basic
\nAuthName “One does not simply”
\nAuthUserFile \/home\/fellowship\/.htpasswd
\nRequire valid-user
\nAuthName “One still does not simply”
\nAuthType Basic
\nAuthUserFile \/home\/fellowship\/.htpasswd<\/p>\n

<Files “one-ring.o”>
\nRequire valid-user
\n<\/Files><\/p>\n

<FilesMatch ^((one|two|three)-rings?\\.o)$>
\nRequire valid-user
\n<\/FilesMatch><\/p>\n

Visitor Referrer filtered through
\nThis denies access for all users who are coming from (referred by) a specific domain.
\nSource
\nRewriteEngine on
\n# Options +FollowSymlinks
\nRewriteCond %{HTTP_REFERER} somedomain\\.com [NC,OR]
\nRewriteCond %{HTTP_REFERER} anotherdomain\\.com
\nRewriteRule .* – [F]<\/p>\n

Prevent nesting other pages<\/p>\n

This prevents the website to be framed (i.e. put into an iframe tag), when still allows framing for a specific URI.<\/p>\n

SetEnvIf Request_URI “\/starry-night” allow_framing=true
\nHeader set X-Frame-Options SAMEORIGIN env=!allow_framing
\nPerformance<\/p>\n

Archive<\/p>\n

<IfModule mod_deflate.c><\/p>\n

# ?? compression for mangled headers.
\n# http:\/\/developer.yahoo.com\/blogs\/ydn\/posts\/2010\/12\/pushing-beyond-gzipping
\n<IfModule mod_setenvif.c>
\n<IfModule mod_headers.c>
\nSetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\\s*,?\\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
\nRequestHeader append Accept-Encoding “gzip,deflate” env=HAVE_Accept-Encoding
\n<\/IfModule>
\n<\/IfModule><\/p>\n

# Compress all output labeled with one of the following MIME-types
\n# (for Apache versions below 2.3.7, you don’t need to enable `mod_filter`
\n# and can remove the `<IfModule mod_filter.c>` and `<\/IfModule>` lines
\n# as `AddOutputFilterByType` is still in the core directives).
\n<IfModule mod_filter.c>
\nAddOutputFilterByType DEFLATE application\/atom+xml \\
\napplication\/javascript \\
\napplication\/json \\
\napplication\/rss+xml \\
\napplication\/vnd.ms-fontobject \\
\napplication\/x-font-ttf \\
\napplication\/x-web-app-manifest+json \\
\napplication\/xhtml+xml \\
\napplication\/xml \\
\nfont\/opentype \\
\nimage\/svg+xml \\
\nimage\/x-icon \\
\ntext\/css \\
\ntext\/html \\
\ntext\/plain \\
\ntext\/x-component \\
\ntext\/xml
\n<\/IfModule><\/p>\n

<\/IfModule><\/p>\n

Source<\/p>\n

Set an expiration header<\/p>\n

xpires headers tell the browser whether they should request a specific file from the server or just grab it from the cache. It is advisable to set static content\u2019s expires headers to something far in the future.
\nIf you don\u2019t control versioning with filename-based cache busting, consider lowering the cache time for resources like CSS and JS to something like 1 week. Source<\/p>\n

<IfModule mod_expires.c>
\nExpiresActive on
\nExpiresDefault “access plus 1 month”<\/p>\n

# CSS
\nExpiresByType text\/css “access plus 1 year”<\/p>\n

# Data interchange
\nExpiresByType application\/json “access plus 0 seconds”
\nExpiresByType application\/xml “access plus 0 seconds”
\nExpiresByType text\/xml “access plus 0 seconds”<\/p>\n

# Favicon (cannot be renamed!)
\nExpiresByType image\/x-icon “access plus 1 week”<\/p>\n

# HTML components (HTCs)
\nExpiresByType text\/x-component “access plus 1 month”<\/p>\n

# HTML
\nExpiresByType text\/html “access plus 0 seconds”<\/p>\n

# JavaScript
\nExpiresByType application\/javascript “access plus 1 year”<\/p>\n

# Manifest files
\nExpiresByType application\/x-web-app-manifest+json “access plus 0 seconds”
\nExpiresByType text\/cache-manifest “access plus 0 seconds”<\/p>\n

# Media
\nExpiresByType audio\/ogg “access plus 1 month”
\nExpiresByType image\/gif “access plus 1 month”
\nExpiresByType image\/jpeg “access plus 1 month”
\nExpiresByType image\/png “access plus 1 month”
\nExpiresByType video\/mp4 “access plus 1 month”
\nExpiresByType video\/ogg “access plus 1 month”
\nExpiresByType video\/webm “access plus 1 month”<\/p>\n

# Web feeds
\nExpiresByType application\/atom+xml “access plus 1 hour”
\nExpiresByType application\/rss+xml “access plus 1 hour”<\/p>\n

# Web fonts
\nExpiresByType application\/font-woff2 “access plus 1 month”
\nExpiresByType application\/font-woff “access plus 1 month”
\nExpiresByType application\/vnd.ms-fontobject “access plus 1 month”
\nExpiresByType application\/x-font-ttf “access plus 1 month”
\nExpiresByType font\/opentype “access plus 1 month”
\nExpiresByType image\/svg+xml “access plus 1 month”
\n<\/IfModule>
\nClose eTags logo<\/p>\n

By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header. Source<\/p>\n

<IfModule mod_headers.c>
\nHeader unset ETag
\n<\/IfModule>
\nFileETag None
\nMiscellaneous<\/p>\n

Setting up a PHP variable<\/p>\n

php_value <key> <val><\/p>\n

# For example:
\nphp_value upload_max_filesize 50M
\nphp_value max_execution_time 240
\nCustom Error Pages<\/p>\n

ErrorDocument 500 “Houston, we have a problem.”
\nErrorDocument 401 http:\/\/error.example.com\/mordor.html
\nErrorDocument 404 \/errors\/halflife3.html
\nForced Download<\/p>\n

Sometimes you want to the browser to download some content instead of displaying it.
\n<Files *.md>
\nForceType application\/octet-stream
\nHeader set Content-Disposition attachment
\n<\/Files><\/p>\n

Blocking the download<\/p>\n

Sometimes you want to ?? the browser to display some content instead of downloading it.<\/p>\n

<FilesMatch “\\.(tex|log|aux)$”>
\nHeader set Content-Type text\/plain
\n<\/FilesMatch>
\nRun cross-domain font reference<\/p>\n

CDN-served webfonts might not work in Firefox or IE due to CORS. This snippet solves the problem.<\/p>\n

<IfModule mod_headers.c>
\n<FilesMatch “\\.(eot|otf|ttc|ttf|woff|woff2)$”>
\nHeader set Access-Control-Allow-Origin “*”
\n<\/FilesMatch>
\n<\/IfModule>
\nSource<\/p>\n

Auto UTF-8 Encode<\/p>\n

Your text content should always be UTF-8 encoded, no?<\/p>\n

# Use UTF-8 encoding for anything served text\/plain or text\/html
\nAddDefaultCharset utf-8<\/p>\n

# UTF-8 for a number of file formats
\nAddCharset utf-8 .atom .css .js .json .rss .vtt .xml<\/p>\n

Source<\/p>\n

Switching PHP version<\/p>\n

If you\u2019re on a shared host, chances are there are more than one version of PHP installed, and sometimes you want a specific version for your website. For example, Laravel requires PHP >= 5.4. The following snippet should switch the PHP version for you.<\/p>\n

AddHandler application\/x-httpd-php55 .php<\/p>\n

# Alternatively, you can use AddType
\nAddType application\/x-httpd-php55 .php<\/p>\n

Compatibility View in IE may affect how some websites are displayed. The following snippet should
\nIE to use the Edge Rendering Engine and disable the Compatibility View.<\/p>\n

<IfModule mod_headers.c>
\nBrowserMatch MSIE is-msie
\nHeader set X-UA-Compatible IE=edge env=is-msie
\n<\/IfModule>
\nSupports WebP image format<\/p>\n

If WebP images are supported and an image with a .webp extension and the same name is found at the same place as the jpg\/png image that is going to be served, then the WebP image is served instead.<\/p>\n

RewriteEngine On
\nRewriteCond %{HTTP_ACCEPT} image\/webp
\nRewriteCond %{DOCUMENT_ROOT}\/$1.webp -f
\nRewriteRule (.+)\\.(jpe?g|png)$ $1.webp [T=image\/webp,E=accept:1]<\/p>\n","protected":false},"excerpt":{"rendered":"

.htaccess or mod_rewrite encyclopedia collected here are a variety of practical .htaccess snippets, you can think of the use of almost all here.<\/p>\n

Disclaimer : Although these snippets directly copied to your .htaccess file, the vast majority of cases are easy to use, but there are very few cases where you need to modify some […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4393"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4393"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4393\/revisions"}],"predecessor-version":[{"id":4394,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4393\/revisions\/4394"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}