Hello, and welcome to the first in a series of Apache HOWTO’s, packed with neat tips and tricks that allow you to get the most out of Apache on the Web. Whether you host your website yourself or pay for your hosting, there will be magic spells and potions in here for everyone! This issue covers a bit of the directory configuration permissions in httpd.conf, how to allow or deny access to a folder by IP address, how to password protect a folder, or setup a 301 redirect or even to tell Apache to process .css and .html documents with PHP!
Apache’s httpd.conf – Configuration File for HTTP Demon
If you run Linux, httpd.conf is usually located in /etc/httpd/conf/httpd.conf, or if you are using something like WAMP for Windows or MAMP for the Mac you will find it in the root of the program folder.
httpd.conf tells Apache how to behave, you tell it what port to listen to and what folders on your computer to serve out on which domains. You can specify a folder using the <directory> tag and give it a series of options. Here is an example snippet from the roger-davies.net www entry in httpd.conf:
<Directory “c:/wamp/www/”>
Options Indexes FollowSymLinks
AllowOverride all
Order Deny,Allow
Allow from all
</Directory>
If you specify Indexes, Apache will list the directory contents of folders which have no index file (index.html, default.html, index.php, default.asp, etc). Otherwise you will likely get an error 403 – forbidden. FollowSymLinks tells Apache to show and follow symbolic links from this directory. There are other neat options, and having AllowOverride in the httpd.conf allows you to specify which of these options can be overridden with an .htaccess file.
For example, let’s say I wanted to give access to all files and folders from http://www.roger-davies.net, I would have the httpd.conf part as above. But I wanted to then block all access to the folder http://www.roger-davies.net/private from all IP addresses accept my own.
Not many hosts will allow you access to your httpd.conf (unless you’re lucky enough to have a virtual private server) but most good hosting accounts will still allow many of these options to be overridden using the .htaccess for your website!
Using .htaccess to Override httpd.conf Settings in Apache, Deny or Allow Access by IP Address
No problem! You can override this default setting (Allow from All) by having an .htaccess file placed in the folder /protected which contains:
Order Deny,Allow
Deny from All
Allow from 81.97.62.218
The .htaccess file will affect the current folder it is in, and all sub-folders, but not the parent. This gives you a good way of creating ‘rotected areas’ within your site. Order denotes which way around these rules should be applied. Order Deny,Allow tells Apache that you will specify which IP addresses to deny before specifying who has permission to access these files. The above example is just ‘let nobody access, except 81.97.62.218’
(Notice how these lines could have been added to the http.conf file). You can essentially turn on any directory options from here that you might normally include in the directories definition in the httpd.conf. This is one of the main reasons I find it helpful to run with AllowOverride all. Just like access, you can switch options on or off. For instance, let’s say I hadn’t included Options Indexes in my default www folder, but I had a folder I wanted the user to be able to browse. I can do this by adding the following line to an .htaccess file and placing it in this folder:
Options +Indexes
Password Protecting Folders with .htaccess
Rather than simply denying or granting access, you could use the the .htaccess file to password protect a folder:
AuthUserFile C:\wamp\.htpasswd
AuthName “Login to the Private Area”
AuthType Basic
Require valid-user
Important (but, hopefully obvious!) Note : do not place the .htpasswd anywhere within the folders that are publicly available on the web!
To generate the .htpasswd file you can run the htpasswd program (located under Apache’s /bin folder for Windows, or in /usr/sbin/htpasswd for Linux).
Simply run the following command in the command-line: htpasswd.exe -c ‘passwordfile’ ‘username’. Here is an example command I might use to create a new password file:
htpasswd.exe -c c:\wamp\www\protectedfolder\mypasswrdfile thefraj
OR for Linux something like:
sudo htpasswd -cm /var/www/protectedfolder/mypasswrdfile thefraj
Setting Up 301 Redirect Rules Using .htaccess, non-Canonical Address Redirect
You can also use .htaccess to setup 301 redirects for incoming requests to another page:
Redirect 301 /oldpage.html http://www.example.co.uk/newpage.php
Redirect 301 /secondoldpage.html http://www.example.co.uk/newpage2.php
This is perfect tactic if you have a new site built, and the structure has changed. Perhaps the names of pages or their locations have changed – I find it helps to spend a bit of time filling out the htaccess file with necessary redirects to ensure search engines can still find everything! Or you can setup general rules for redirecting. Here is an example which will redirect every requested page to the www. equivalent.
RewriteEngine on
rewritecond %{http_host} ^example.com [nc]
rewriterule ^(.*)$ http://www.example.com/$1 [r=301,nc]
I won’t get too deep into url rewriting as this probably deserves an entire chapter just to itself! But, in a nut-shell .htaccess can be used to override all kinds of neat behaviour from the server. In a previous post about dynamic css, I showed how to use .htaccess to tell the server to process .html .css documents using PHP:
AddType application/x-httpd-php .html .htm .css
AddHandler application/x-httpd-php .html .htm .css
which allows you to do all kinds of neat things. In fact, you can even use .htaccess to set or unset HTTP header directives and responses the server gives.
Even if you use a commercial hosting account, many of these tricks will still work, although your milage will vary. Some tricks (such as the ‘AddHandler’ and ‘AddType’ directives or URL rewrite rules) may take some experimenting to get right – each server will be setup slightly differently, and what works on one may need altering slightly to work on another.
Well, this just about does it for this first installment. Next time : how to host multiple domains using Apache’s VirtualServer directive.
