.htaccess files - catalyst2

Call Us 0800 107 7979

Service Status

Back to knowledgebase

17 December 2021

The Apache web server uses various configuration files. It always has a primary configuration file (typically httpd.conf) and often a config file with options specific to a domain / virtual host. On shared servers users can also override a subset of directives using .htaccess files in their home directory. For instance, users can set up rules to rewrite URLs or to limit access to web pages to specific IP addresses.

Inheritance

Apache options are inherited. The rules defined in the main httpd.conf apply to all subdirectories, unless they are overridden somewhere else. This allows you to fine-tune what rules should apply to which directories.

To illustrate, the httpd.conf file on cPanel servers allows directory listings. Users often change that setting, as it allows anyone to view the contents of folders that don’t have an index file. The rule in the httpd.conf file looks like this:

<Directory "/">
  AllowOverride All
  Options Indexes
</Directory>

The <Directory> directive defines the settings for the server’s / directory. That is the top-level directory on Unix-like operating systems, and the rules therefore apply globally.

The AllowOverride directive defines whether or not settings can be overridden. In the above example it is set to All, which is the most permissive option. If it is set to None then any .htaccess files are ignored.

And finally, the Options Indexes rule is what enables directory listings. To disable indexes you can change the value to Options -Indexes.

Overrides

WordPress Toolkit has an option to disable directory browsing. When you enable the option the default setting is overridden. Toolkit does this via a domain-specific configuration file. This is the rule Toolkit creates:

<Directory "/home/example/public_html">
    Options -Indexes
</Directory>

So, indexes are now allowed globally, but not in /home/example/public_html (and any of its subdirectories). If you want to enable directory listings for a subfolder then you can override the settings again via a .htaccess file. For instance, you can use this to allow directory browsing for a folder named “downloads”:

<Directory "/home/example/public_html/downloads">
    Options +Indexes
</Directory>

Performance

.htaccess files are essential on shared servers. They allow users to override settings and set up custom rules, such as redirects. The only downside of .htaccess files is that they come with a small performance penalty. The more configuration files Apache has to process, the more work it has to do.

If you have full access to a server then you can use just the main httpd.conf file. However, there are downsides to that as well. Most importantly, you really need to know your stuff. A small typo can throw all websites on your server offline. Plus, you need root access. Unless you are comfortable managing servers on the command line you probably want to use .htaccess files. Or, you can let us make certain changes for you!

Working with .htaccess files

.htaccess files are plain text files that can be edited directly. As said, you do need to be very careful, as a small typo can cause an error 500 (the dreaded “internal server error”). If you need to manually edit a .htaccess file then it is best to first make a copy of the original file. That way you can always revert your changes.

It is also worth noting that the file is a so-called dot file. On Linux systems, files that start with a dot are not displayed by default. In cPanel’s file manager you need to enable the “show hidden files” option before you can see the files. When you enable the option you will see quite a few extra files and folders. These are mostly used to store configuration options. Similarly, on the command line you need to add the -a (--all) option to ls to include dot files in directory listings.

On cPanel servers you can also make various configuration changes using a graphical interface. For instance, you can set up a redirect with just a few clicks. That is useful, as the Apache configuration is complex and can work in unexpected ways.

Complexity

The Apache web server is thoroughly documentated, but the documentation is a little dry. It is also very extensive – Apache has a very large number of bells and whistles. If you are new to Apache, the main things to know up front are that there are different Apache versions and that it has a huge number of directives.

This is important, as things work differently in different Apache versions. For instance, if you do an online search to find out how to block an IP address via a .htaccess file then you probably end up doing something like this:

Order Allow,Deny
Allow from all
Deny from 1.2.3.4

This syntax is specific to Apache 2.2 and was deprecated in version 2.4. It still works in Apache 2.4, but it will stop working in a future version. The new way of blocking an IP address is this:

<RequireAll>
  Require all granted
  Require not ip 1.2.3.4
</RequireAll>

So, it is always a good idea to have a look at the official documentation. It will help you better understand how the configuration works, and it will prevent that things suddenly stop working.

Featured Blogs

Identifying Common Server Issues and How to Avoid Them

What our clients say

We really rate catalyst2. We get a great response from the team… really happy with the service.

Mike Fieldhouse, realityhouse

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_5562310_11	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
_ashkii	session	No description available.
_wicasa	3 months	No description available.
AnalyticsSyncHistory	1 month	No description
cookid	3 months	No description available.
cookietest	session	No description
crisp-client/domain-detect/1644827320973	session	No description
crisp-client/domain-detect/1644827348275	session	No description
crisp-client/domain-detect/1644827428415	session	No description
crisp-client/domain-detect/1644827479357	session	No description
crisp-client/domain-detect/1644827596454	session	No description
crisp-client/domain-detect/1644827724838	session	No description
crisp-client/domain-detect/1644827824383	session	No description
crisp-client/domain-detect/1644827878659	session	No description
crisp-client/domain-detect/1644828716243	session	No description
crisp-client/domain-detect/1644828846246	session	No description
crisp-client/domain-detect/1644829369013	session	No description
crisp-clientsession30cc6953-ebcf-4bc6-b649-c44eb446409e	6 months	No description
dbmFP	3 months	No description available.
dbmPK	3 months	No description available.
li_gc	2 years	No description