.htaccess tips and tricks

<ifModule>
 clever stuff here
</ifModule>

Introduction to .htaccess..

This work in constant progress is some collected wisdom, stuff I've learned on the topic of .htaccess hacking, commands I've used successfully in the past, on a variety of server setups, and in most cases still do. You may have to tweak the examples some to get the desired result, though, and a reliable test server is a powerful ally, preferably one with a similar setup to your "live" server. Okay, to begin..

..an old Win32 Apache mirror of corz.org     
peecee Explorer view with invisible files

.htaccess files are invisible

There's a good reason why you won't see .htaccess files on the web; almost every web server in the world is configured to ignore them, by default. Same goes for most operating systems. Mainly it's the dot "." at the start, you see?

If you don't see, you'll need to disable your operating system's invisible file functions, or use a text editor that allows you to open hidden files, something like bbedit on the Mac platform. On windows, showing invisibles in explorer should allow any text editor to open them, and most decent editors to save them too**. Probably most Linux users know how to find them without any help from me.

In the image, the operating system has been instructed to display invisible files. ugly, but necessary sometimes. You will also need to instruct your ftp client to do the same.

By the way; that folder is no longer there. But folks still find it via my clever 404 script.



What are .htaccess files anyway?

Simply put, they are invisible plain text files where one can store server directives. Server directives are anything you might put in an Apache config file (httpd.conf) or even a php.ini**, but unlike those "master" directive files, these .htaccess directives apply only to the folder in which the .htaccess file resides, and all the folders inside.

This ability to plant .htaccess files in any directory of our site allows us to set up a finely-grained tree of server directives, each subfolder inheriting properties from its parent, whilst at the same time adding to, or over-riding certain directives with its own .htaccess file.

For instance, you could use .htacces to enable indexes all over your site, and then deny indexing in only certain subdirectories, or deny index listings site-wide, and allow indexing in certain subdirectories. One line in the .htaccess file in your root and your whole site is altered. From here on, I'll probably refer to the main .htaccess in the root of your website as "the master .htaccess file", or "main" .htaccess file.

There's a small performance penalty for all this .htaccess file checking, but not noticeable, and you'll find most of the time it's just on and there's nothing you can do about it anyway, so let's make the most of it..

** Your main php.ini, that is, unless you are running under phpsuexec/CGI, in which case the directives would go inside individual php.ini files (sometimes named ".user.ini") in your site's directories.

Is .htaccess enabled?

It's unusual, but possible that .htaccess is not enabled on your site. If you are hosting it yourself, it's easy enough to fix; open your httpd.conf in a text editor, and locate this <Directory> section..

Your DocumentRoot  may be different, of course..
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/var/www/htdocs">
#

..locate the line that reads..

AllowOverride None

..and change it to..

AllowOverride All

Restart Apache. Now .htaccess will work. You can also make this change inside a virtual host, which would normally be preferable. In fact, if you are hosting yourself, it's probably smarter to disable .htaccess altogether and make all these changes in the virtual host configuration!

If your site is hosted elsewhere, check your control panel (Plesk. CPanel, etc.) to see if you can enable .htaccess there, and if not, contact your hosting admins. Perhaps they don't allow this. In which case, switch to a better web host.

What can I do with .htaccess files?

Almost any directive that you can put inside an httpd.conf file will also function perfectly inside an .htaccess file. Unsurprisingly, the most common use of .htaccess is to..

Control (Allow/Deny) Access..

.htaccess is most often used to restrict or deny access to individual files and folders. A typical example would be an "includes" folder. Your site's pages can call these included scripts all they like, but you don't want users accessing these files directly, over the web. In that case you would drop an .htaccess file in the includes folder with content something like this..

NO ENTRY!
# no one gets in here!
deny from all

which would deny ALL direct web (HTTP) access to ANY files in that folder (your scripts reach them via the filesystem). You can be more specific with your conditions, for instance limiting access to a particular IP range, here's a handy top-level ruleset for a local test server..

NO ENTRY outside of the LAN!
# no nasty crackerpots in here!
Order Allow,Deny
Deny from All
Allow from 192.168.0.0/24
# this would do the same thing..
#Allow from 192.168.0

Note the Order directive, which controls the order in which Apache handles the access rules (aka. directives) when making its three passes. With Allow,Deny, first checking and applying Allow rules, then Deny rules, and denying everything else. With Deny,Allow, first applying Deny rules, then Allow rules, then allowing everything else.

If you think about it, the Deny line in example above, is redundant. This..

NO ENTRY outside of the LAN!
Order Allow,Deny
Allow from 192.168.0

.. is enough to secure a local server. And because Apache processes the directives in three groups (one on each pass), the processing order defined by the Order directive, the actual ordering of the rules in your config file is unimportant. This..

NO ENTRY outside of the LAN!
Allow from 192.168.0.0/24
Order Allow,Deny

..is identical in operation to the previous example.

Generally these sorts of requests would bounce off your firewall anyway, but on a live server (like my dev mirrors sometimes are) they become useful for filtering out undesirable IP blocks, known risks, lots of things. By the way, in case you hadn't spotted; lines beginning with "#" are ignored by Apache; handy for comments.

Sometimes, you will only want to ban one IP, perhaps some persistent robot that doesn't play by the rules..

post user agent every fifth request only. hmmm. ban IP..
# someone else giving the ruskies a bad name..
order allow,deny
deny from 83.222.23.219
allow from all

The usual rules for IP addresses apply, so you can use partial matches, ranges, and so on. Whatever, the user gets a 403 "access denied" error page in their client software (browser, usually), which certainly gets the message across. This is probably fine for most situations, but in part two I'll demonstrate some cooler ways to deny access, as well as how to deny those nasty web suckers, bad referrers, script kiddies and more.

One final note about Allow and Deny rules for local servers (or anywhere you have acceess to the main httpd.conf, vhost.conf and such files). If AllowOverride All is set in a config file processed before the one containing these rules (it usually is), they will override any rules set in the preceding config file.

For example, if you have AllowOverride All and Deny All set in your VirtualHost config, and Allow All in your .htaccess, the .htaccess rules apply, allowing access from all addresses. If you delete the Allow rule in the .htaccess, the rules from your VirtualHost config will apply. If you delete those rules, the ones from your main httpd.conf will apply. <Location> rules override everything.

Custom error documents..

I guess I should briefly mention that .htaccess is where most folk configure their error documents. Usually with sommething like this..

the usual method. the "err" folder (with the custom pages) is in the root
# custom error documents
ErrorDocument 401 /err/401.php
ErrorDocument 403 /err/403.php
ErrorDocument 404 /err/404.php
ErrorDocument 500 /err/500.php

You can also specify external URLs, though this can be problematic, and is best avoided. One quick and simple method is to specify the text in the directive itself, you can even use HTML (though there is probably a limit to how much HTML you can squeeze onto one line). Remember, for Apache 1; begin with a ", but DO NOT end with one. For Apache 2, you can put a second quote at the end, as normal.

measure twice, quote once..
# quick custom error "document"..
ErrorDocument 404 "<html><head><title>NO!</title></head><body><h2><tt>There is nothing here.. go away quickly!</tt></h2></body></html>

Using a custom error document is a Very Good Idea, and will give you a second chance at your almost-lost visitors. I recommend you get mine. But then, I would.

Password protected directories..

The next most obvious use for our .htaccess files is to allow access to only specific users, or user groups, in other words; password protected folders. a simple authorisation mechanism might look something like this..

a simple sample .htaccess file for password protection:
AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/var/www/html/.htpasses
require valid-user

You can use this same mechanism to limit only certain kinds of requests, too..

only valid users can POST in here, anyone can GET, PUT, etc:
AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/var/www/html/.htpasses
<Limit POST>
 require valid-user
</Limit>

You can find loads of online examples of how to setup authorization using .htaccess, and so long as you have a real user (or create one, in this case, 'jimmy') with a real password (you will be prompted for this, twice) in a real password file (the -c switch will create it)..

htpasswd -c /usr/local/var/www/html/.htpasses jimmy

..the above will work just fine. htpasswd is a tool that comes free with Apache, specifically for making and updating password files, check it out. The windows version is the same; only the file path needs to be changed; to wherever you want to put the password file.

Note: if the Apache bin/ folder isn't in your PATH, you will need to cd into that directory before performing the command. Also note: You can use forward and back-slashes interchangeably with Apache/php on Windows, so this would work just fine..

htpasswd -c c:/unix/usr/local/Apache2/conf/.htpasses jimmy

Relative paths are fine too; assuming you were inside the bin/ directory of our fictional Apache install, the following would do exactly the same as the above..

htpasswd -c ../conf/.htpasses jimmy

Naming the password file .htpasses is a habit from when I had to keep that file inside the web site itself, and as web servers are configured to ignore files beginning with .ht, they too, remain hidden. If you keep your password file outside the web root (a better idea), then you can call it whatever you like, but the .ht_something habit is a good one to keep, even inside the web tree, it is secure enough for our basic purpose..

Once they are logged in, you can access the remote_user environmental variable, and do stuff with it..

the remote_user variable is now available..
RewriteEngine on
RewriteCond %{remote_user} !^$ [nc]
RewriteRule ^(.*)$ /users/%{remote_user}/$1

Which is a handy directive, utilizing mod_rewrite; a subject I delve into far more deeply, in part two.

Get better protection..

The authentication examples above assume that your web server supports "Basic" http authorisation, as far as I know they all do (it's in the Apache core). Trouble is, some browsers aren't sending password this way any more, personally I'm looking to php to cover my authorization needs. Basic auth works okay though, even if it isn't actually that secure - your password travels in plain text over the wire, not clever.

If you have php, and are looking for a more secure login facility, check out pajamas. It's free. If you are looking for a password-protected download facility (and much more, besides), check out my distro machine.

500 error..

If you add something that the server doesn't understand or support, you will get a 500 error page, aka.. "the server did a boo-boo". Even directives that work perfectly on your test server at home may fail dramatically at your real site. In fact this is a great way to find out if .htaccess files are enabled on your site; create one, put some gibberish in it, and load a page in that folder, wait for the 500 error. if there isn't one, probably they are not enabled.

If they are, we need a way to safely do live-testing without bringing the whole site to a 500 standstill.

Fortunately, in much the same way as we used the <Limit> tag above, we can create conditional directives, things which will only come into effect if certain conditions are true. The most useful of these is the "ifModule" condition, which goes something like this..

only if PHP is loaded, will this directive have any effect (switch the 4 for a 5 if using php5)
<ifModule mod_php4.c>
 php_value default_charset utf-8
</ifModule>

..which placed in your master .htaccess file, that would set the default character encoding of your entire site to utf-8 (a good idea!), at least, anything output by PHP. If the PHP4** module isn't running on the server, the above .htaccess directive will do exactly nothing; Apache just ignores it. As well as proofing us against knocking the server into 500 mode, this also makes our .htaccess directives that wee bit more portable. Of course, if your syntax is messed-up, no amount of if-module-ing is going to prevent a error of some kind, all the more reason to practice this stuff on a local test server.

** note: if you are using php5, you would obviously instead use <ifModule mod_php5.c>.

Groovy things to do with .htaccess..

So far we've only scratched the surface. Aside from authorisation, the humble .htaccess file can be put to all kinds of uses. If you've ever had a look in my public archives you will have noticed that that the directories are fully browsable, just like in the old days before adult web hosts realized how to turn that feature off! A line like this..

bring back the directories!
Options +Indexes +MultiViews +FollowSymlinks

..will almost certainly turn it back on again. And if you have mod_autoindex.c installed on your server (probably, yes), you can get nice fancy indexing, too..

show me those files!
<IfModule mod_autoindex.c>
 IndexOptions FancyIndexing
</ifModule>

..which, as well as being neater, allows users to click the titles and, for instance, order the listing by date, or file size, or whatever. It's all for free too, built-in to the server, we're just switching it on. You can control certain parameters too..

let's go all the way!
<IfModule mod_autoindex.c>
 IndexOptions FancyIndexing IconHeight=16 IconWidth=16
</ifModule>

Other parameters you could add include..

NameWidth=30
DescriptionWidth=30
IconsAreLinks
SuppressHTMLPreamble (handy! or..)
XHTML (at last!)

I've chucked one of my old fancy indexing .htaccess file onsite for you to have some fun with. Just add a readme.html and away you go! Note: these days I generally use a single header files for all the indexes..

HeaderName /inc/header.html

.. and only drop in local readme.html files. Check out the example, and my public archives for more details.

custom directory index files

While I'm here, it's worth mentioning that .htaccess is where you can specify which files you want to use as your indexes, that is, if a user requests /foo/, Apache will serve up /foo/index.html, or whatever file you specify.

You can also specify multiple files, and Apache will look for each in order, and present the first one it finds. It's generally setup something like..

DirectoryIndex index.html index.php index.htm

It really is worth scouting around the Apache documentation, often you will find controls for things you imagined were uncontrollable, thereby creating new possibilities, better options for your website. My experience of the magic "LAMP" (Linux-Apache-MySQL-PHP) has been.. "If you can imagine that it can be done, it can be done". Swap "Linux" for any decent operating system, the "AMP" part runs on most of them.

Okay, so now we have nice fancy directories, and some of them password protected, if you don't watch out, you're site will get popular, and that means bandwidth..

Save bandwidth with .htaccess!

If you pay for your bandwidth, this wee line could save you hard cash..

save me hard cash! and help the internet!
<ifModule mod_php4.c>
 php_value zlib.output_compression 16386
</ifModule>

All it does is enables PHP's built-in transparent zlib compression. This will half your bandwidth usage in one stroke, more than that, in fact. Of course it only works with data being output by the PHP module, but if you design your pages with this in mind, you can use php echo statements, or better yet, php "includes" for your plain html output and just compress everything! Remember, if you run phpsuexec, you'll need to put php directives in a local php.ini file, not .htaccess. See here for more details.

Hide and deny files..

Do you remember I mentioned that any file beginning with .ht is invisible? .."almost every web server in the world is configured to ignore them, by default" and that is, of course, because .ht_anything files generally have server directives and passwords and stuff in them, most servers will have something like this in their main configuration..

Standard setting..
<Files ~ "^\.ht">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

which instructs the server to deny access to any file beginning with .ht, effectively protecting our .htaccess and other files. The "." at the start prevents them being displayed in an index, and the .ht prevents them being accessed. This version..

ignore what you want
<Files ~ "^.*\.([Ll][Oo][Gg])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

tells the server to deny access to *.log files. You can insert multiple file types into each rule, separating them with a pipe "|", and you can insert multiple blocks into your .htaccess file, too. I find it convenient to put all the files starting with a dot into one, and the files with denied extensions into another, something like this..

the whole lot
# deny all .htaccess, .DS_Store $hî†é and ._* (resource fork) files
<Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss]|[_])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

# deny access to all .log and .comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

would cover all ._* resource fork files, .DS_Store files (which the Mac Finder creates all over the place) *.log files, *.comment files and of course, our .ht* files. You can add whatever file types you need to protect from direct access. I think it's clear now why the file is called ".htaccess".

<FilesMatch>

These days, using <FilesMatch> is preferred over <Files>, mainly because you can use regular expression in the conditions (very handy), produce clean, more readable code. Here's an example. which I use for my php-generated style sheets..

parse file.css and file.style with the php machine..
# handler for phpsuexec..
<FilesMatch "\.(css|style)$">
 SetHandler application/x-httpd-php
</FilesMatch>

Any files with a *.css or *.style extension will now be handled by php, rather than simply served up by Apache. And because you can use regexp, you could do stuff like <FilesMatch "\.s?html$">, which is handy. Any <Files> statements you come across can be advantageously replaced by <FilesMatch> statements. Good to know.

More stuff..

At the end of my .htaccess files, there always seems to be a section of "stuff"; miscellaneous commands, mainly php flags and switches; so it seems logical to finish up the page with a wee selection of those..

php flags, switches and other stuff..
# let's enable php (non-cgi, aka. 'module') for "EVERYTHING"..
AddType application/x-httpd-php5 .htm .html .php .blog .comment .inc

# better yet..
AddHandler php5-script .php

# legacy php4 version..'
AddType application/x-httpd-php .htm .html .php .blog .comment .inc

# don't even think about setting this to 'on'
php_value register_globals off

# no session id's in the URL PULEEZE!
php_value session.use_trans_sid 0

# should be the same as..
php_flag session.use_trans_sid off

# using both should also work fine!
# php error logs..
php_flag display_errors off
php_flag log_errors on
php_value track_errors on
php_value error_log /home/cor/errors/phperr.log

# if you like to collect interesting php system shell access and web hack scripts
# get yourself a SECURE upload facility, and just let the script-kiddies come …
# in no time you will have a huge selection of fascinating code. If you want folk to
# also upload zips and stuff, you might want to increase the upload capacities..
php_value upload_max_filesize 12M
php_value post_max_size 12M

# php 5 only, afaik. handy when your server isn't where YOU are.
php_value date.timezone Europe/Aberdeen
# actually, Europe/Aberdeen isn't a valid php timezone, so that won't work.
# I recommend you check the php manual for this function, because many crazy places ARE!

Note: For most of the flags I've tested, you can use on/off and true/false interchangeably, as well as 0/1, also php_value and php_flag can be switched around while things continue to work as expected! I guess, logically, booleans should always be php_flag, and values, php_value; but suffice to say, if some php erm, directive isn't working, these would all be good things to fiddle with!

Of course, the php manual explains all. The bottom line is; both will work fine, but if you use the wrong type in .htaccess, say, set a php_flag using php_value, a php ini_get() command, for instance, would return true, even though you had set the value to off, because it reads off value as a string, which of course evaluates to not-zero, i.e. 1, or "true". If you don't rely on get_ini(), or similar, it's not a problem, though clearly it's better to get it right from the start. By the way; one of the values above is incorrectly set. Did you spot it?

Most php settings, you can override inside your actual scripts, but I do find it handy to be able to set defaults for a folder, or an entire site, using .htaccess.

over to you..

That should get you started with .htaccess, quite easy when you know how. If you really want to bend your brain out of shape, follow the link below for part two of the series, where I delve into the arcane mysteries of URL rewriting.

;o)

Before you ask a question..

Firstly, read this at least once in your life. I insist!

NOTE: THIS IS NOT A COMMUNITY. And I am not your free tech dude. Sure, folk sometimes drop back in, but realistically, the chances of someone else coming along and answering your tech question are about as close to zero as it gets; almost no one sticks around but me, the guy who wrote all that text (above).

If you can't be bothered to read the article, I can't be bothered responding. Capiche? I do read all comments, though, and answer questions about the article. I'm also keen to discuss anything you think I've missed, or interesting related concepts in general.

If you are still sure that you want to post your own, personal, tech question, then please ensure that you first, either..

a) Have read the article (above) and have tried "everything" yourself; in which case; post the exact code that isn't working (preferably inside [pre][/pre] tags), replacing any personal domain names with "example.com" (advertising gets deleted) or else..

b) Pay me. The PayPal button is at the top right of the page. I offer many related services, if you need priority assistance, get in touch.

Other posts will be ignored and/or deleted.

If you want to know about rewriting with mod_rewrite please see the next page!



previous comments (thirty pages)   show all comments

Steve - 01.02.13 9:20 pm

Thanks for your prompt reply.

I do have a question about the /include1 folder. In my setup, the /include1 folder contains files for PHP functions and other useful PHP code that are 'included' and used by application PHP scripts.

I want to setup the structure and .htaccess to allow the application PHP scripts to use the keyword 'include' to add PHP files from the /include1 directory but PREVENT site visitors from running the /include1 PHP files directly (these files only make sense in the context where they are included)?

Any help would be appreciated!


It is explained here. ;o) Cor



Chetan Sharma - 31.03.13 1:33 pm

Thanks buddy, it really helps


hisham - 29.07.13 3:07 am

i`m using joomla 1.5

i have 2 server connection

local network ---->info.kk.net (domain server. local only)---->10.4.8.15 (local joomla installation)

i`m using reverse proxy

the address for the site is http://info.kk.net/mysite and it can open the site

but when i point to the menu it point to http://10.4.8.15/mysite/...

so i want the site is point to http://info.kk.net/mysite/...

can i use .htaccess for this. anyone can help me?

check out part 2 - rewriting (link above these comments). ;o) Cor



Jugnu - 19.09.13 4:20 am

Hi

I am trying find a code for restricting folder access only if the request has come via a specific port.

For e.g. I am setting up Port 7050 and have got the Incoming and Outgoing Enabled on TCP.

Now I want the .htaccess script to use to allow content under the folder accessible only if the content was requested via the port 7050.

Thanks.

RewriteCond %{SERVER_PORT} ^7050$
;o) Cor



R.S - 21.11.13 5:40 am

i couldn't update my htaccess file.No changes can be done in htaccess file.If i did changes then within 5 seconds htaccess file regaining its old content.Can anyone say what the problem is?

Bad Web Host. ;o) Cor



jazz - 24.11.13 6:29 pm

Hi corz - thanks for the article.
I'll be back to study it more as I try to implement
many of your suggestions.

Right now I'm trying to do something and dont know
if its possible ... at least I cant work it out?

I have a folder tree protected by htpassword (auth basic?) and in that
tree I have a php file I want to use to check the username
of the person reading it ... that person has just logged into the tree with their username and password obviously.

I know I can read the .htpasswd file but
can my php code read the htpassword username of the user now active from the apache session or somewhere?

thanks again.

jazz

Check out part two, there's a download at the foot called "debug-report" Drop that inside the user area and load it in your web browser once logged in. Voila! ;o) Cor



jazz - 25.11.13 11:10 am


Hi

Many thanks for the fast response cor.

That was exactly what I needed - perfect.
The value PHP_AUTH_USER does the trick for me.

You're worth your weight in gold (or bitcoins!)

cheers
jazz



John - 12.12.13 11:45 am

Hi many thanks to this site. this is a big big big help for me. This is the only site that a got what I need.


Can I Ask About the Multiple Domains in One Root?

RewriteCond %{HTTP_HOST} domain-one.com
RewriteCond %{REQUEST_URI} !^/one
RewriteRule ^(.*)$ one/$1 [L]


What is the proper way to add the WWW and Non WWW in domain-one.com?

I made this version but this is not totally working with both of WWW and Non WWW
RewriteCond %{HTTP_HOST} ^(www.)?domain-one.com
RewriteCond %{REQUEST_URI} !^/one
RewriteRule ^(.*)$ one/$1 [L]




I'll wait for your response.

Thanks

John smiley for :)smiley for :)smiley for :)smiley for :)smiley for :)smiley for :)


jay - 11.01.14 9:34 am

Hi,

My site is created in Joomla, in order to go to administrator backend, you would go to www.mysite.com/administrator, the problem is I cannot any subfodlers and in the .
Any misconfiguration I made in the .ht. I have these line in my .ht file:



# @version $Id: ht.txt 21064 2011-04-03 22:12:19Z dextercowley $
# @package Joomla
# @copyright Copyright (C) 2005 - 2010 Open Source Matters.  rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##

#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS 
#
#  line just below this section: 'Options +FollowSymLinks' may cause problems
# with some  configurations.  It is required for use of mod_rewrite, but may already
# be set by your  administrator in a way that dissows changing it in
# your .ht .  If using it causes your  to  out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If y work,
# it has been set by your  administrator and you do  need it set here.
#
#####################################################

##  Can be commented out if causes s, see es above.
Options +FollowSymLinks
 
#
#  mod_rewrite in use

RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out  operations listed below
## This attempts to block  most common type of exploit `attempts` to Joomla!
#
## Deny  to extension xml s (uncomment out to activate)
#<s ~ "\.xml$">
#Order ow,deny
#Deny from 
#Satisfy 
#</s>
## End of deny  to extension xml s
# Block out any script trying to set a mosConfig value through  URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode data within  URL
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a > tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show  content of  root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use  correct RewriteRule syntax and  [R=301,L] flags.
#
########## End - Custom redirects

#  Uncomment following line if your web's URL
#  is  directly related to physical  paths.
#  Update Your Joomla! Directory (just / for root)

# RewriteBase /
 
########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If  requested path and  is  /index.php and  request
# has  already been interny rewritten to  index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and  request is for root, or for an extensionless URL, or 
# requested URL ends with one of  listed extensions
RewriteCond %{REQUEST_URI} (/[^.]*|\.(php|html?|feed|pdf|raw))$ [NC]
# and  requested path and  n't directly match a physical 
RewriteCond %{REQUEST_NAME} !-f
# and  requested path and  n't directly match a physical folder
RewriteCond %{REQUEST_NAME} !-d
# interny rewrite  request to  index.php script
RewriteRule .* index.php [L]
#
########## End - Joomla! core SEF Section

RewriteCond %{HTTP_HOST} ^aboutfilipino\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.aboutfilipino\.com$
RewriteRule ^taga\-parts\-of\-speech$ "http\:\/\/aboutfilipino\.com\/taga\-parts\-of\-speech" [R=302,L]




rahamsher - 07.03.14 1:45 pm

...its great job...
Keep it up...


Shailendra - 18.04.14 3:13 pm

I have a URL like "localhost:800/testapp/Showcase/demopage/S1/user" in which the number after folder "S" is dynamic and the "user" folder is also dynamic.Now i want my URL to look like "localhost:800/testapp/". I have hide the folders "Showcase and demopage" from the URL so that it looks like "localhost:800/testapp/S1/user" but i want to hide these S1, S2, S3 and user folders from the URL. Any help will be greatly appreciated.

Thanks:
Shail


First, confirm that you are human by entering the code you see..

(if you find the code difficult to decipher, click it for a new one!)


Enter the 5-digit code this text sounds like :

lower-case why, Upper-Case Elle, too!, lower-case jay, Upper-Case Ess


 

Welcome to corz.org!

If something isn't working, I'm probably improving it, try again in a minute. If it's still not working, please mail me!