A few weeks back, I updated two websites (which run on my ISPs’ Apache servers) to use various features which improve the experience for users of the site. These features include:
All of these features (and more) may be controlled on an Apache server using a file called .htaccess, which is intended for users who do not have access to the server configuration to make configuration changes on a per-directory basis.
In general, where access to the server configuration is available, then changes should be made at the server level; however in a hosted environment, .htaccess allows content providers to make their own configuration without affecting other users of the server.
Administrators should be made aware that enabling .htaccess on a server does incur a performance hit as Apache will look in every directory on the path for an .htaccess file, and will load the file, whether or not the directives contained within .htaccess are relevant to the HTTP request. For this reason, some ISPs may prohibit the use of .htaccess.
Microsoft Internet Information Server (IIS) does not have an equivalent to .htaccess and all configuration must be carried out using the various IIS administration tools (along with an appropriate organisational security model).
Apache Tutorial: .htaccess files
Comprehensive guide to .htaccess
One of the features used in my website is server side includes (SSI). The SSI code allows my sites to include dynamic information which would otherwise require scripting that may not function correctly with certain browsers.
SSI is pretty simple. Apache users need to edit the .htaccess file in their web root directory to allow SSI, adding the following lines:
AddType text/html .shtml
AddHandler server-parsed .shtml
Some of these may not be necessary if they have been set at a higher level in the Apache configuration by the ISP or server administrator – for full details, see the Apache Tutorial: Introduction to Server Side Includes.
Microsoft Internet Information Server (IIS) users can find information on using server side include directives in the IIS 6.0 Operations Guide.
Once enabled, pages which call the server-based code should be named .shtml (or whatever file extension is defined in the configuration). Because my ISP has configured its servers for the default web page to be called index.htm or index.html, it was also necessary to change the default documents for the website.
One use of SSI to reuse common HTML code (e.g. headers, menus, etc.), but another useful application is to report document information (e.g. date last modified). There are many references on the Internet for SSI options, but one of the most useful is Craig McFetridge’s SSI page on the Carleton University website, with another being the one found on the ThinkQuest Amazing HTML website.
One of the features used in my website is custom error pages, which allow errors to be handled using a format that matches other documents on the site.
Apache users can configure custom error messages using .htaccess. Once pages have been created for an error message, include a directive in the .htaccess file as follows:
ErrorDocument error-code document
ErrorDocument 404 /errors/404-notfound.shtml will redirect any page not found (HTTP error 404) errors to display the /errors/404-notfound.shtml document.
Full details for Apache users may be found in the Apache core features documentation.
Microsoft Internet Information Server (IIS) users can find information on configuring custom error messages in the IIS 6.0 Operations Guide.
RFC 2616 details all of all HTTP status (including error) codes.
My ISPs’ Apache servers are configured for index.html and index.htm to be the default documents; however since implementing server side includes in my websites I need index.shtml to be recognised as the default document.
Fortunately, this can be achieved using the following directive in the corresponding .htaccess file:
DirectoryIndex index.shtml index.html index.htm
Microsoft Internet Information Server (IIS) users can find information on setting up default documents in the IIS 6.0 Operations Guide.
Whilst looking at the website statistics for my main website, I realised that many users were attempting to access pages that no longer exist on the server. Some may argue that old content should be left in place, but others will disagree and my preferred approach is to redirect requests to the new locations, or at least to provide a polite message that the document has been removed and a link to the home page! Fortunately on an Apache server, this may easily be achieved using an .htaccess directive.
Various types of redirect are available through .htaccess, using the syntax:
Redirect [status] URL-path URL
The status argument can be used to return a number of HTTP status codes:
permanent returns a permanent redirect status (301) indicating that the resource has moved permanently.
temp returns a temporary redirect status (302). This is the default and is assumed if no status argument is given, indicating to the client that the resource has moved temporarily.
seeother returns a “See Other” status (303) indicating that the resource has been replaced.
gone returns a “Gone” status (410) indicating that the resource has been permanently removed. When this status is used the URL argument should be omitted.
Other status codes can be returned by giving the numeric status code as the value of status. If the status is between 300 and 399, the URL argument must be present, otherwise it must be omitted.
For example, a temporary redirection from old file or directory to new:
Redirect /olddirectory/oldfile.html http://yoursite.com/newdirectory/newfile.html
Redirect /olddirectory http://yoursite.com/newdirectory/
or a permanent redirect:
Redirect permanent /olddirectory http://www.yoursite.com/
or redirect with error 410:
Redirect gone /oldfile.html
Full details for Apache users may be found in the Apache HTTP Server documentation.
Microsoft Internet Information Server (IIS) users can find information on redirecting requests to files directories or programs in the IIS 6.0 Operations Guide.
RFC 2616 details all HTTP status (including error) codes.
When no default document is found on a web server, depending on the server configuration, users may be able to list the files in a given directory. For Apache servers, this may be prevented on a per-directory basis by adding add an IndexIgnore directive to an .htaccess file.
The syntax is:
IndexIgnore file [file] ...
IndexIgnore * will prevent listing of all files, or alternatively, individual files may be specified.
Full details may be found in the Apache HTTP Server documentation.
Under certain circumstances, it may be necessary to deny users access to various files on a web server.
For example, some directives in an Apache .htaccess file may be considered a security risk and so access to the file may be prevented using the following directives:
deny from all
The first line limits the directive to the .htaccess file (simply change the filename to limit access to other files), whilst the remaining code sets deny to have precedence over allow, denies access from all users and then terminates the directive.