This post is also available in Русский
.htaccess allows you to create your own Apache server management configuration in directories or hosting settings.
Introduction to .htaccess
The .htaccess (Hypertext Access) file is an Apache web server configuration file that allows you to customize the server at the directory or hosting level. All rules written in .htaccess apply to the current directory and all its subdirectories (unless they have their own .htaccess).
Features of .htaccess:
- Apache checks the file on every request to the site
- Changes take effect on the next request to the server
- Some directives (especially those related to PHP modules) may require a server restart.
- Apache global settings may restrict available directives
- Syntax errors result in error 500
- Affects performance with large number of rules
Basic configuration
Enabling the Rewrite module
To work with URLs, you must activate the module:
RewriteEngine On
Access Control
Restrict access by IP
These rules are especially useful for:
- Protecting the admin panel
- Restrict access to the test version of the site
- Blocking spam bots
- Geo-restrict access to content
Single IP ban
Order Deny,Allow
Deny from 123.123.123.123
Practical application:
- Blocking spammers or malicious users
- Temporarily restricting access to problematic users
- Protect against DDoS attacks from specific addresses
Usage example: You have an online store and you have noticed suspicious activity from a certain IP address - multiple attempts to find the password to the admin area. You can temporarily block this IP.
Allow access only to a specific IP
Order Deny,Allow
Deny from all
Allow from 123.123.123.123
Practical application:
- Access to the staging-version of the site for developers only
- Restrict access to admin panel by office IP
- Protecting confidential sections of the site
Usage Example: You have a test version of your site that should be accessible only by company employees. You can allow access only from office IP addresses.
Encoding and language settings
Default encoding
AddDefaultCharset UTF-8
What it’s for:
- Proper display of special characters
- Support for multilingual content
- Prevent coding problems in forms
Usage Example: You have a multilingual site with Russian and Chinese content. Setting UTF-8 will ensure that characters from both languages are displayed correctly.
Error handling
Custom error pages
ErrorDocument 404 /errors/404.html
ErrorDocument 403 /errors/403.html
ErrorDocument 401 /errors/401.html
ErrorDocument 500 /errors/500.html
Practical application:
- Improving user experience
- Retaining visitors when errors occur
- Branding error pages
- Providing useful information when failures occur
Usage Example: On a 404 page you can:
- Show popular sections of the site
- Add a search form
- Suggest contacting support
- Show a sitemap
Manage URLs and redirects
Redirect to .html
RewriteCond %{REQUEST_URI} (.*/[^/.]+)($|\?)
RewriteRule .* %1.html [R=301,L]
RewriteRule ^(.*)/$ /$1.html [R=301,L]
Practical application:
- Creating clean URLs without extensions
- SEO optimization
- Simplifying site structure
- Migration from old URL structure
Usage Example: Instead of URLs like:
site.ru/about.htmlsite.ru/contacts.html
Users will be able to use:
site.ru/aboutsite.ru/contacts
Managing slashes in URLs
Delete end slash
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)/$ /$1 [R=301,L]
Why it’s needed:
- URL uniformity
- Prevent duplicate pages
- SEO improvement
- Clean link structure
Usage Example: All URLs of the form:
site.ru/blog/site.ru/about/Will be automatically converted to:site.ru/blogsite.ru/about
Handling www and no www
Redirect from www to without www
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
Important for:
- SEO optimization
- Preventing duplicate pages
- Link consistency
- Proper functioning of cookies
Example of use: All URLs of the form:
www.site.ru/pagewww.site.ru/blog/postWill be automatically converted to:site.ru/pagesite.ru/blog/post
Redirect without www to www
RewriteCond %{HTTP_HOST} ^site.ru$ [NC]
RewriteRule ^(.*)$ http://www.site.ru/$1 [R=301,L]
Security
Hotlink protection
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?site\.ru [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ /images/stop-hotlinking.jpg [NC,R,L]
Practical application:
- Copyright protection
- Saving traffic
- Prevent image theft
- Protection from parasitic use of resources
Application Example: If someone tries to embed your image on their website:
<img src=“http://your-site.ru/images/expensive-photo.jpg”>
A warning stub will be shown instead of your image.
Bruteforce protection
Comprehensive approach using mod_security or limiting the number of requests:
# Limit the number of requests
<IfModule mod_ratelimit.c>
# Limit to 5 requests per second
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 5
</IfModule>
# Blocking suspicious patterns
<IfModule mod_security2.c>
SecRule REQUEST_URI "/administrator\.php" \
"phase:1,deny,status:403,id:1000,msg:'Suspicious admin access attempt'"
</IfModule>
# Additional safety rules
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bot
Deny from env=block_bot
Applies to:
- Protect the admin panel
- Prevent password mining
- Blocking automated attacks
- Protect authorization forms
Performance optimization
Static Content Caching
<IfModule mod_expires.c>
ExpiresActive On
# Images
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
# CSS, JavaScript
ExpiresByType text/css "access plus 1 week"
ExpiresByType application/javascript "access plus 1 week"
# Add versioning via GET parameter to update files
# Example: style.css?v=1.2
RewriteCond %{REQUEST_FILENAME} \.(css|js|jpg|jpeg|png|gif)$
RewriteCond %{QUERY_STRING} !^v=
RewriteRule ^(.*)$ $1?v=1.0 [L]
</IfModule>
Benefits:
- Reduced server load
- Faster page loading
- Saving traffic
- Improved user experience
Important Note: When updating files, you must:
- Change the version in the GET parameter
- Or use new file names
- Or clear the client-side cache
GZIP compression
<IfModule mod_deflate.c>
# Compress only text files
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css
AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
AddOutputFilterByType DEFLATE application/javascript application/x-javascript
# Do not compress already compressed formats
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf|zip|rar)$ no-gzip dont-vary
</IfModule>
Efficiency:
- Reduces HTML size by up to 70%
- CSS compression up to 80%
- Compress JavaScript up to 60%
- Speed up site loading
Optimization for SPA
<IfModule mod_rewrite.c>
RewriteEngine On
# Specify the correct path if the application is in a subdirectory
RewriteBase /path/to/app/
RewriteRule ^index\.html$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule . /path/to/app/index.html [L]
</IfModule>
Note: If your application is in the root of the site, use RewriteBase /. For a subdirectory, specify the appropriate path.
Debugging and monitoring
Error Logging
php_flag log_errors on
php_value error_log /path/to/error.log
Customization for development
php_flag display_errors on
php_value error_reporting E_ALL
Recommendations for use
Best Practices
- Create backups before making changes
- Test in a secure environment
- Document changes
- Group related directives
- Check logs regularly
- Optimize the number of rules
- Use up-to-date security methods
- Monitor performance
Typical errors
- Incorrect RewriteRule order
- Lack of condition checking
- Overuse of .htaccess
- Lack of error handling
- Insecure permissions settings
Conclusion
The .htaccess file is a powerful Apache customization tool that, when used correctly, can greatly improve the security and performance of your site. However, it is important to keep in mind the potential impact on performance and the need to thoroughly test all changes.