Category Archives: Apache

.htaccess useful options

This is a post that I started to remind me of what the correct syntax is for the .htaccess file. But given that it has kind of grown to include a heap of .htaccess info I thought it wise to highlight the Apache official .htaccess tutorial pages. Given the information in that tutorial only use .htaccess if you really need to and preferably use the correct httpd.conf (apache2.conf or similar depending on your distro) for the commands as it will help with system performance. That said, there are a number of things that I use .htaccess for, here are some of them.

Edit: Have not read this as yet, but it seems to contain a heap more detail. http://www.askapache.com/htaccess/htaccess.html

The following came from http://www.buildwebsite4u.com/advanced/htaccess-file.shtml:

Redirecting YourSite.com to www.YourSite.com
If search engines find both www and non-www links from other sites to your site, they may treat http://YourSite.com and http://www.YourSite.com as two different websites with the same content. This means that your site can be penalized for duplicate content. Many experts recommend to set up a 301 redirect (permanent redirect) from YourSite.com to www.YourSite.com…

The code for this would be:
[php]
RewriteEngine On
RewriteCond %{HTTP_HOST} ^YourSite.com [nc]
RewriteRule (.*) http://www.YourSite.com/$1 [R=301,L][/php]

Of course, using the .htaccess file and having all the correct paths enabled will help.

My default SME Server uses Apache2 and I have found that in order to use .htaccess and htpasswd effectively I had to add / enable some modules in the /etc/httpd/conf/httpd.conf file.

Setting aside the fact that SME Server needs to have specific templates updated, the Centos distro that it is based on will be similar to this (I expect).

I did enable a number of auth type modules to address a number of errors.  In each case the /var/log/httpd/error.log was where the errors were recorded.

.htaccess: Invalid command ‘AuthUserFile’, perhaps misspelled or defined by a module not included in the server configuration

was fixed by enabling

LoadModule authn_file_mod modules/mod_authn_file.so

While the error

configuration error: couldn’t check user. No user file?

needed to have the Basic Authentication module enabled in the LoadModules section of the httpd.conf

LoadModule auth_basic_mod modules/mod_auth_basic.so

needed to have Basic Authentication enabled. Note that by default Digest is enabled but given that Digest provides little security above Basic I am ok with using Basic with SSL. Note that the SSL is essential for Basic Authentication to be of use. Read the info from Apache on Basic v Digest as I think it makes it clear.

…and another error

configuration error: couldn’t check access. No groups file?:

needed to have this module added.

LoadModule authz_user_mod modules/mod_authz_user.so

at this point I could login from the browser and got a prompt to access the directory. However there was still an error in the log which stated:

/.htaccess: order not allowed here

This was because I had not completed the AllowOverride construct in the httpd.conf file.

In my httpd.conf I have sections for each virtual site / directory on the server.

Options None
Options +Indexes
Options +Includes
AllowOverride None
order deny,allow
deny from all
allow from all

in which the ‘AllowOverride None ‘ directive will ignore .htacess, while setting it to AllowOverride AuthConfig will allow it to check for a username/password it also needs the AllowOverride Limit to avoid the error about Order.

So to summarise the httpd.conf change I added a specific directory directive for the directory I am securing with htaccess/ htpasswd with the following:

AllowOverride AuthConfig Limit
order deny,allow
deny from all
allow from all