The following is a brief introduction to Apache's htaccess file for web application deployment, distribution, or implementation on shared hosting environments.
The Apache htaccess file is not new; however it seems to only be used by more advanced Apache users and web application developers. This article aims to to point one on the right path to learn about htaccess and Apache directives by outlining how I have used and have seen Apache's htaccess file used in the real world.
It is assumed the reader is familiar with Apache and has a basic understanding of Apache configuration. The latter part of the article assumes a basic familiarity with PHP configuration directives.
2. What is an Apache htaccess file?
The Apache webserver is powerful. There are many ways to configure Apache depending on your goals.
An htaccess file allows one to make Apache configuration changes on a per directory basis.
You can develop your site with custom configuration options and deploy it without problems on another similarly configured Apache server without the need to have direct access to the Apache configuration file (httpd.conf).
To create a htaccess file, simply create a file called ".htaccess" in directory accessible through Apache and thats it! And note, in unix like operating systems, files that begin with "." are hidden.
You can now enter directives directly into the file.
3. When should I use htaccess for deployment?
If you are deploying a web application on a dedicated server, htaccess may not be the best solution. You should customize your Apache configuration file for your specific application and centralize its configuration. making these easier to maintain, However; if you are writing applications for distribution, such as open source web applications, or are working on a shared hosting, or multiple application deployment environment, htaccess may be the best solution for you.
With Apache's htaccess file, you do not have to worry as much about your application breaking while moving to deployment environments. An example many PHP programmers may be familiar with are the PHP magic_quotes directives. These directives are what is responsible for slashes that magically seem to appear, or disappear. A knowledge of magic quotes, or lack of them, is very important as the lack of adding escape characters it is a security risk leading to many SQL injection attacks, the most common security hole is database applications. I will provide some links to SQL injection attack descriptions at the end of this article.
Other things that may be done with htaccess files are as follows:
- Username/Password protection of site directories.
- Disallowing the display of directory contents without an index page.
- Modifying the file types that are allowed to be accessed through the web.
- Setting configuration options for web scripting languages such as PHP (overwriting php.ini)
- Specifying new file types and file type handling.
- Adding new content types
- Blocking specific address from accessing your server.
Many, many more useful things can be done with htaccess. It is recommended you take a browse through the Apache configuration directives, referenced below.
To use htaccess files, the server first must allow support for them.
The most common problem why htaccess files do not work is because the AllowOverride directive has not been set for document path directory. This option is only set in the the Apache configuration file (httpd.conf). If your htaccess file doesn't seem to work, contact your local administrator and ask her to setup htaccess permissions for your application directory or, if you are the local system administrator, set it up by doing the setting the following:
<Directory "/path/to/my/document/root"> AllowOverride All </Directory>
Note: The AllowOverride directive has many options besides All. AllowOverride All just gives you full access to override all directives for the directory specified. If you are a system administrator, this behavior might not be what you desire. If that's the case I have provided a link to the Apache manual at the bottom of this article where you can find more information about the AllowOverride directive.
4. How can I override my PHP ini settings with htaccess?
After reading the above, you should have a better understanding of overwriting Apache configuration directives using htaccess.
Some PHP configuration options may be overwritten in the htaccess file, although not all of them.
You may find a link to the PHP configuration options at the end of this article. It also provides information on what options you can and can not modify.
You may override PHP ini settings in the htaccess files with the following directives:
note: to clear a value, set the value to "none".
php_value [configuration_option_name] [value] (only valid with PHP_INI_ALL and PHP_INI_PERDIR directives) php_flag [configuration_option_name] [on|off] (only valid with PHP_INI_ALL and PHP_INI_PERDIR directives)
Directives which can not be modified through the htaccess file may be modified through the Apache configuration file (httpd.conf) with the following php admin directives:
php_admin_value [configuration_option_name] [value] php_admin_flag [configuration_option_name] [on|off]
Here are some real world examples:
Disabling magic quotes (manual handling of escape characters):
php_flag magic_quotes_runtime off php_flag magic_quotes_sybase off php_flag magic_quotes_gpc off
Modifying the maximum file upload size:
php_value upload_max_filesize "16M"
Turning off error reporting:
php_flag display_errors off
List of PHP configuration options:
Apache 2.2 manual - http://httpd.apache.org/docs/2.2/
Apache 2.0 manual - http://httpd.apache.org/docs/2.0/
Apache 1.3 manual - http://httpd.apache.org/docs/1.3/
SQL Injection Information:
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.