An .htaccess file is a simple ASCII file created using a text editor such as Notepad or Simple Text. People are sometimes confused with the naming convention for the file, since .htaccess is not a file extension, but a complete file name. Its general use is to implement a custom error page or to password protect directories.
Let Rackspace make the difference with reliable managed hosting solutions backed by Fanatical Support.™ 100% Network Uptime Money-Back Guar., 1-hour hardware replacement, 24/7 LIVE, MS and LNX certified technical support.
Creating the File
Create the file by opening up a text editor and saving an empty page as .htaccess. If you can't save an empty page, type in one character. An editor probably appends its default file extension to the name. Notepad for one would call the file .htaccess.txt but the .txt or other file extension need to be removed in order for the file to work correctly. This can be done using the regular file renaming procedure, or in telnet or your ftp program.
The file must be uploaded in ASCII mode, not binary. You can CHMOP the .htaccess file to 644 to make the file usable by the server while preventing it from being read by a browser, as that would seriously compromise the security of password protected directories. When you have password protected directories and a browser can read the .htaccess file, the location of the authentication file can be acquired to reverse engineer the list and access directories that had previously been protected. This can be prevented by either placing all authentication files above root directory thereby rendering the www inaccessible or through including in .htaccess a series of commands that prevents it from being accessed by a browser.
Most commands in .htaccess are meant to be placed on one line only. So disable word wrap in your text editor, as it might produce some characters that don't work with Apache. .htaccess is not for NT servers and Apache is generally very tolerant of malformed content in an .htaccess file.
The .htaccess file affects the directory in which it is placed, as well as all subdirectories. If you'd rather not have certain .htaccess commands affect a specific directory, you can do that by placing a new .htaccess file within that directory, including only the commands by which you want it to be affected. The nearest .htaccess file to the current directory is the one considered the .htaccess file. A global .htaccess located in the root, if considered the nearest, affects every directory in the entire site.
Don't place .htaccess indiscriminately, as this may result in redundancy and may cause an infinite loop of redirects or errors. There are hosts that do not allow the use of .htaccess files because a server overloaded with domains can be slowed down when all are using .htaccess files. It is possible that .htaccess can compromise a server configuration specifically set up by the administrator. So make sure it is allowed before you use a .htacess file.
Error documents are only a part of the general use of .htaccess. Specifying one's own customized error documents will require a command within the .htaccess file. The pages can be named anything and can be placed anywhere within the site as long as they are accessible through a URL. The best names are those that would prevent the user from forgetting what the page is being used for.
Password protection is effectively dealt with by .htaccess. By creating a file called .htpasswd, username and the encrypted password of the people to be allowed access are placed in the .htpasswd file. The .htpasswd file should likewise be not uploaded to a directory that is Web accessible for maximum security.
Whole directories of a site can be redirected using the .htaccess file without the need to specify each file. Thus any request made for an old site will be redirected to the new site, with the extra information in the URL added on. This is a very powerful feature when used correctly.
Aside from custom error pages, password protecting folders and automatic redirection of users, .htaccess is also capable of changing file extension, banning users with extra certain IP address allowing only users with certain IP addresses, stopping directory listing and using a different file as the index file. Accessing a site that has been protected by .htaccess will require a browser to pop-up a standard username/password display box. However, there are certain scripts available which will allow the user to embed a username/password box in a website to do the authentication. The wide variety of uses of .htaccess facilitates time saving options and increased security in a website.
Many hosts support .htaccess but do not publicize it, while others have the capability but do not allow it. Generally, a server that runs UNIX or any version of the Apache Web server will support .htaccess although the host may not allow its use.
When Not to Use .htaccess Files
The .htaccess file should not be used when there is no access to the main server configuration file. Contrary to common belief, user authentication is not always done in .htaccess files. The preferred way is to put user authentication configuration in the main server configuration.
It should be used in situations where the content provider needs to make configuration changes to the server on a per-directory basis but does not have root access on the server system. Individual users can be permitted to make these changes in .htaccess files for themselves if the server administrator is unwilling to make frequent configuration. As a general rule, the use of .htaccess should be avoided when possible since configuration can be effectively made in a Directory Section in the main server configuration file.
Two main factors warrant avoiding the use of .htaccess files - performance and security. Permitting .htaccess files causes a performance hit whether or not it is actually used, since Apache will look in every directory for such file. The .htaccess file is also looked into every time a document is requested. The Apache search will include .htaccess files in all higher-level directories to have a full complement of directories of application. As such, each file accessed out of the directory results in four additional file system accesses even if none was originally present.
The use of .htaccess permits users to modify server configuration which may produce uncontrolled changes. This privilege should be carefully considered before it is given to users. The use of the .htaccess files can be completely disabled by setting the Allow Override directive to none.
