htaccess Cheat Sheet

Here is a simple cheatsheet for the .htaccess file:

Enable Directory Browsing

Options +Indexes
## block a few types of files from showing
IndexIgnore *.wmv *.mp4 *.avi

Disable Directory Browsing

Options All -Indexes
ErrorDocument 403
Order deny,allow
Deny from all
Allow from

Redirect all but 1 IP to different site, using mod_rewrite

RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^1\.1\.1\.1
RewriteRule .* [R=302,L]

Redirect Everyone but you to alternate page on your server.

RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^1\.1\.1\.1
RewriteCond %{REQUEST_URI} !/temporary-offline\.html$
RewriteRule .* /temporary-offline.html [R=302,L]

Customize Error Messages

ErrorDocument 403 /forbidden.html
ErrorDocument 404 /notfound.html
ErrorDocument 500 /servererror.html

Get SSI working with HTML/SHTML

AddType text/html .html
AddType text/html .shtml
AddHandler server-parsed .html
AddHandler server-parsed .shtml
# AddHandler server-parsed .htm

Change Default Page (order is followed!)

DirectoryIndex myhome.htm index.htm index.php

Block Users from accessing the site

<limit GET POST PUT>
order deny,allow
deny from
deny from
deny from
allow from all

Allow only LAN users

order deny,allow
deny from all
allow from

Redirect Visitors to New Page/Directory

Redirect oldpage.html
Redirect /olddir

Block site from specific referrers

RewriteEngine on
RewriteCond %{HTTP_REFERER} site-to-block\.com [NC]
RewriteCond %{HTTP_REFERER} site-to-block-2\.com [NC]
RewriteRule .* - [F]

Block Hot Linking/Bandwidth hogging

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]

Want to show a “Stealing is Bad” message too?

Add this below the Hot Link Blocking code:

RewriteRule \.(gif|jpg)$ [R,L]

Stop .htaccess (or any other file) from being viewed

<files file-name>
order allow,deny
deny from all

Avoid the 500 Error

# Avoid 500 error by passing charset
AddDefaultCharset utf-8

Grant CGI Access in a directory

Options +ExecCGI
AddHandler cgi-script cgi pl
# To enable all scripts in a directory use the following
# SetHandler cgi-script

Password Protecting Directories

Use the .htaccess Password Generator and follow the brief instructions!

Change Script Extensions

AddType application/x-httpd-php .gne

gne will now be treated as PHP files! Similarly, x-httpd-cgi for CGI files, etc.

Use MD5 Digests

Performance may take a hit but if thats not a problem, this is a nice option to turn on.

ContentDigest On

The CheckSpelling Directive

From Jens Meiert: CheckSpelling corrects simple spelling errors (for example, if someone forgets a letter or if any character is just wrong). Just add CheckSpelling On to your htaccess file.

The ContentDigest Directive

As the Apache core features documentation says: “This directive enables the generation of Content-MD5 headers as defined in RFC1864 respectively RFC2068. The Content-MD5 header provides an end-to-end message integrity check (MIC) of the entity-body. A proxy or client may check this header for detecting accidental modification of the entity-body in transit.

Note that this can cause performance problems on your server since the message digest is computed on every request (the values are not cached). Content-MD5 is only sent for documents served by the core, and not by any module. For example, SSI documents, output from CGI scripts, and byte range responses do not have this header.”

To turn this on, just add ContentDigest On.

Save Bandwidth

# Only if you use PHP
<ifmodule mod_php4.c>
php_value zlib.output_compression 16386

Turn off magic_quotes_gpc

# Only if you use PHP
<ifmodule mod_php4.c>
php_flag magic_quotes_gpc off

Taken from

Regex Character Definitions for htaccess

#the # instructs the server to ignore the line. used for including comments. each line of comments requires it’s own #. when including comments, it is good practice to use only letters, numbers, dashes, and underscores. this practice will help eliminate/avoid potential server parsing errors.

Forbidden: instructs the server to return a 403 Forbidden to the client.
Last rule: instructs the server to stop rewriting after the preceding directive is processed.
Next: instructs Apache to rerun the rewrite rule until all rewriting directives have been achieved.
Gone: instructs the server to deliver Gone (no longer exists) status message.
Proxy: instructs server to handle requests by mod_proxy
Chain: instructs server to chain the current rule with the previous rule.
Redirect: instructs Apache to issue a redirect, causing the browser to request the rewritten/modified URL.
No Case: defines any associated argument as case-insensitive. i.e., “NC” = “No Case”.
Pass Through: instructs mod_rewrite to pass the rewritten URL back to Apache for further processing.
Or: specifies a logical “or” that ties two expressions together such that either one proving true will cause the associated rule to be applied.
No Escape: instructs the server to parse output without escaping characters.
No Subrequest: instructs the server to skip the directive if internal sub-request.
Append Query String: directs server to add the query string to the end of the expression (URL).
Skip: instructs the server to skip the next “x” number of rules if a match is detected.
Environmental Variable: instructs the server to set the environmental variable “variable” to “value”.
Mime Type: declares the mime type of the target resource.
specifies a character class, in which any character within the brackets will be a match. e.g., [xyz] will match either an x, y, or z.
character class in which any combination of items within the brackets will be a match. e.g., [xyz]+ will match any number of x’s, y’s, z’s, or any combination of these characters.
specifies not within a character class. e.g., [^xyz] will match any character that is neither x, y, nor z.
a dash (-) between two characters within a character class ([]) denotes the range of characters between them. e.g., [a-zA-Z] matches all lowercase and uppercase letters from a to z.
specifies an exact number, n, of the preceding character. e.g., x{3} matches exactly three x’s.
specifies n or more of the preceding character. e.g., x{3,} matches three or more x’s.
specifies a range of numbers, between n and m, of the preceding character. e.g., x{3,7} matches three, four, five, six, or seven x’s.
used to group characters together, thereby considering them as a single unit. e.g., (perishable)?press will match press, with or without the perishable prefix.
denotes the beginning of a regex (regex = regular expression) test string. i.e., begin argument with the proceeding character.
denotes the end of a regex (regex = regular expression) test string. i.e., end argument with the previous character.
declares as optional the preceding character. e.g., monzas? will match monza or monzas, while mon(za)? will match either mon or monza. i.e., x? matches zero or one of x.
declares negation. e.g., “!string” matches everything except “string”.
a dot (or period) indicates any single arbitrary character.
instructs “not to” rewrite the URL, as in “* - [F]”.
matches one or more of the preceding character. e.g., G+ matches one or more G’s, while “+” will match one or more characters of any kind.
matches zero or more of the preceding character. e.g., use “.*” as a wildcard.
declares a logical “or” operator. for example, (x|y) matches x or y.
escapes special characters ( ^ $ ! . * | ). e.g., use “\.” to indicate/escape a literal dot.
indicates a literal dot (escaped).
zero or more slashes.
zero or more arbitrary characters.
defines an empty string.
the standard pattern for matching everything.
defines one character that is neither a slash nor a dot.
defines any number of characters which contains neither slash nor dot.
this is a literal statement — in this case, the literal character string, “http://”.
defines a string that begins with the term “domain”, which then may be proceeded by any number of any characters.
defines the exact string “”.
tests if string is an existing directory
tests if string is an existing file
tests if file in test string has a non-zero value

The Options directive controls which server features are available in a particular directory.

option can be set to None, in which case none of the extra features are enabled, or one or more of the following:

All options except for MultiViews. This is the default setting.
Execution of CGI scripts is permitted.
The server will follow symbolic links in this directory.
Note: even though the server follows the symlink it does not change the pathname used to match against <Directory> sections.
Note: this option gets ignored if set inside a <Location> section.
Server-side includes are permitted.
Server-side includes are permitted, but the #exec command and #exec CGI are disabled. It is still possible to #include virtual CGI scripts from ScriptAliase’d directories.
If a URL which maps to a directory is requested, and the there is no DirectoryIndex (e.g., index.html) in that directory, then the server will return a formatted listing of the directory.
Content negotiated MultiViews are allowed.
The server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.
Note: this option gets ignored if set inside a <Location> section.