.htaccess files can modify the Apache server software setup to enable additional functionality and features that the apache web server draws to the table. We can utilize the .htaccess file for the exchange of several configurations in apache web server software. Also, anyone can use the .htaccess file to have greater control over several aspects of the Apache webserver. Below, you will learn some of the crucial information you must know about the .htaccess file.
Why Is It Called .htaccess?
.htaccess means "hypertext access." The name comes from the tool's directory, which controls users' access to specific files based on per-directory. The .htaccess allows a system administrator to regulate access to individual directories to users with a password and name particularized in a .htpasswd file. It happens with a portion use of Apache's httpd.conf settings directives. While .htaccess files are used for restriction purposes, there are also many other uses that we will convert in this article.
How is .htaccess Used?
- Some of the common utilization of .htaccess is the following:
- Redirecting URLs
- Enabling password protection for any websites and pages
- Showing custom error pages like 404 ages
- Boosts SEO with a consistent trailing slash policy
- It also allows creating error pages for your site, such as 400 Bad Request, 500 Internal Error, and 403 Forbidden Page.
- Moreover, the .htaccess page gives you immense flexibility for building up your website.
Where is the .htaccess file Located?
In theory, every directory folder on your server should have one. Generally, there is one main webroot folder that holds all the content of your website. It is usually labeled such as www. Or public_html.
Suppose you have one directory that combines several website subdirectories; there will generally be a .htaccess file in the primary root (public_html) file.
How to Find my .htaccess File?
In every file system, file names that started with a dot (.) are invisible files. It means they are not usually visible by default. Which doesn't mean it is hard to get. The File Manager or FTP client-server should have a setting to see these hidden files. Perhaps, this will be in several programs but is generally in "Folder Options.", "Settings" or "Preferences." You can also find it in the "View."
What will happen if I Don't have a .htaccess File?
First, you should make sure that you have intentionally turned on the "show hidden file" option from your setting. It will verify whether you have a .htaccess file or not. Many times, .htaccess files are formed automatically, so chances are you may have one. Sometimes this case isn't always happening. You can create a new one if you don't have a .htaccess file. Follow the steps mentioned below.
- You have to begin with a new file in a plain text editor.
- You can save it in ASCII format as .htaccess (Don't use UTF-8 or any other form)
- Now make sure that it isn't htaccess.txt or related like that.
- Finally, you have to upload it to the relevant directory via FTP or through your browser's filer manager.
Till now, we understood the essential dynamics of the .htaccess file. Now we will learn error handling specifications by .htaccess files. With the use of .htaccess files, it is very simple to specify error documents. Let's understand this concept.
The Concept of Error Code
Once a request is claimed to a web server, it strives to respond to that particular request. It is generally delivering a document in the event of HTML pages. Or it can be by accessing an application and returning the output in the event of web applications and content management systems.
If something goes abnormal with it, an error is formed. There are different types of errors that occur through other codes, as you show above in the example of 404 error. It happens if the document cannot be searched on the webserver.
Let's have a view of some of the most popular errors and their causes.
Client Request Errors
400 — it means a bad request
401 — permission required
402 — payment required
403 — Forbidden
404 — not found an error
405 — Method Not Allowed
406 — Not Acceptable (encoding)
407 — Proxy Authentication Required
408 — Request Timed Out
409 — Conflicting Request
410 — Gone
411 — Content-Length Required
412 — Precondition Failed
413 — Request Entity Too Long
414 — Request URI Too Long
415 — Unsupported Media Type
500 — Internal Server Error
501 — Not Implemented
502 — Bad Gateway
503 — Service Unavailable
504 — Gateway Timeout
505 — HTTP Version Not Supported.
What is Default Error Handling?
If you don't define any error handling, the service will automatically return the text to the browser. Afterwards, the browser will display a standard error message in the text form to the use.
How to Specify Error Documents
You have to create an HTML document for the error code you want to display. You can also name these errors whatever resonates with you. It is more beneficial to name something that will showcase and help you remember—for example, not-found.html or 404.html. Afterwards, in the .htaccess file, define which document to display with each type of error.
- ErrorDocument 404 /errors/not-found.html
- ErrorDocument 500 /errors/server-err.html
- ErrorDocument 401 /errors/auth-reqd.html
- ErrorDocument 403 /errors/forbid.html
- ErrorDocument 400 /errors/bad-request.html
As you can see, each directive is placed in its position.
Alternative for .htaccess Error Handling
One of the most useful content management systems like Drupal and WordPress, including other web applications, has its native way of handling more of these error codes.
Password Protection With. .htaccess
As we discussed, the primary purpose of .htaccess files was to regulate the access to specific directories on a per-user basis, including the name and hypertext access altogether. Now we will further illustrate more about the password protection appliance with .htaccess.
Usernames and passwords for the .htaccess system are stored in a file name .htpasswd.
In the file name called ".htpasswd," usernames and passwords are stored.
These are layered each on a single line. For example:
Username: the encrypted password
It's crucial to acknowledge that the password stored in the file isn't the original password used to log in. Instead, it is another graphic crypto hash of the password.
It means the password has been running with an encryption algorithm, and the result is layered. When a client logs in through the plain text password, it runs through the same encryption algorithm. If the input is the same, the passwords match, then the client can access the content.
Storing passwords on these algorithms makes them more robust. If someone tries to access your .htpasswd file, they would only see the cryptographically hashed passwords that are not original. Also, there is no way to reconstruct the original password from these fake texts due to encryption algorithms.
Hashing (fake passwords) Algorithms
For secure algorithms:-
- bcrypt: It has a robust security function, but it is also the slowest measure. Nginx and Apache
- md5: It is the default hashing algorithm performed by the current version of Apache servers. However, it is not authorized by Nginx.
- Insecure Algorithm: you should not use.
- Crypt (): It is used to the default hashing algorithm, but it is vulnerable and not very secure.
Besides, you should not give importance to both SHA and Salted SHA functions.
Creating Usernames and Passwords on the Command Line
Directly from the command line and SSH terminal, you can create a .htpasswd file and add username-password. The command for applying for the .htpasswd file is htpasswd. If you want to create a new .htpasswd file, use the command together with the -c option for building. Afterward, type the path to the directory (don't add the URL). Besides, you can easily add any user as per your requirement.
> htpasswd -c /usr/local/etc/.htpasswd Leesnmith
It creates a new .htpasswd file in the /etc/directory and indexes a record for a user named Lessnmith. You can also store the password using md5 encryption.
Suppose there is already a .htpasswd file at some particular address, then new users will be appended to the existing file. On the other hand, if you prefer to see the bcrypt hashing algorithm, you should use the -b option.
Password Hashing without the Command Line
Suppose you are not comfortable using the SSH terminal or command line. Or, if you are not able to access it, you can quickly create a .htpasswd file. Afterward, proceed with using a plain text editor and upload it on the FTP or file manager. After all that procedure, you will have to encrypt your passwords.
There are many ways .htpasswd encryption services available online. Perhaps the best one is the htpasswd generator at Asprine.org. It provides various options for hashing algorithms and password strength. You can quickly copy-and-paste the output in your .htpasswd file.
Where you Should Store Your .htpasswd file
It is not required to have a separate .htpasswd file for every .htaccess file. It can be one for your entire web hosting account or leading server directory under most ordinary situations. Another critical thing is, the .htpasswd file should not be in a publicly accessible directory, including not any subdirectory or public_html or www. It should be in an entirely different location, which is only attainable only from the server.
How to Use .htpasswd with .htaccess
Remember, each directory can have its native .htaccess file, with its native range of users authorized to access it. Suppose you need any directories that range from non-logged-in users to access the directory and its files. You don't have to add any other algorithm because there is a default setting. In order to restrict access you have to add the following to the .htaccess file:
AuthName "Name of Secure Area"
<Limit GET POST>
The first line showcases the path and file name to your list of usernames and passwords. The second line showcases a name for the protection area. It can be whatever you like. The third line showcases "common or basic" authentication, which is what everyone usually searches for.
The <Limit> tag showcases what is being limited in posting or getting to any directory file. Under the pair of <Limit> tags is the list of authorized users who can access files. If you want to regulate access to a particular user or some users, you can function their name.
AuthName "Name of Secure Area"
<Limit GET POST>
require user Leesnsmith
require user janedoe
You can also put users into the ground and allow access based on this group. It can be articulated by adding another file that showcases the groups. The group file which can be named, for example, .htgroup like this:
Admin: Leesnsmith janedoe
Staff: Lee acrostic
Afterward, you can showcase it in your .htaccess file:
AuthName "Admin Area"
<Limit GET POST>
require group admin
Alternatives to .htpasswd
If you have many static files, it only makes sense to use .htaccess and .htpasswd to restrict some particular files' access.
This feature was created when websites used to be a collection of HTML documents and correlated resources.
If you are working on a content management system (CMS) like WordPress or Drupal, you must acquire the built-in user management system to restrict or grant permission to access the content.
In the above post, we have discussed some of the critical factors of the .htaccess file and its uses. At the same time, we discussed the correct definition of the .htaccess file and its robust security features. The .htaccess file is a configuration file read and performed by the server. It can override many server configuration elements. We also learned the .htaccess could be used for authorization, website optimization, URL rewriting, and, most importantly, cache control. In content management applications such as WordPress, it is commonly used for rewrite URLs and search engine optimization.
Thus, the .htaccess file greatly influences the ranking factors of a website. The .htaccess file improves your website's search engine optimization. As we discussed, it is a distributed server configuration file for the Apache web server, so you can easily use it for modification and create redirection, HTTP headers, manage to crawl, and many more. However, it helps developers write and deeply a .htaccess file that can specifically solve complex SEO problems.