Examples of Apache 2.4 .htaccess Directives

The Apache web server uses .htaccess files to give it additional instructions for within a folder and its sub directories. .htaccess files can be used to do many things such as redirecting a user, IP whitelisting, disabling access to certain types of files, and much more.

As I said before, a .htaccess file applies to the directory in which it is contained, and also to that directories sub directories. If one of the sub directories has an .htaccess file inside it, the sub directory’s .htaccess file is processed first.

I’ve included a few snippets as examples. Note that these snippets are for Apache 2.4. If you search for “apache htaccess,” lots of results will appear, but most of these results are for Apache 2.2. Apache 2.2 was declared end of life on 1/1/2018, so hopefully folks have been able to upgrade.

The following snippet forces a website to use HTTPS:

# Placed @ /home/user/
# Requires HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The following snippet enforces IP whitelisting. IP whitelisting using .htaccess files is not full proof because IP addresses can be spoofed, but it can help. You could place a .htaccess file within the “/wp-admin/” folder with this rule if you wanted only certain IP addresses to be able to access the dashboard.

# Placed @ appropriate folder
# Simple IP whitelisting
<RequireAll>
    Require ip 0.0.0.0
</RequireAll>

This snippet enforces IP whitelisting, but this time, it redirects to the home page if the user is not in the whitelist.

# Placed @ appropriate folder
# Redirects to home page unless the IP is whitelisted
<If "%{REMOTE_ADDR} !='0.0.0.0'" || "%{REMOTE_ADDR} !='0.0.0.0'">;
	Redirect /
</If>

This snippet requires that the user authenticate before being able to access the folder or its contents. A file with usernames and passwords must be created OUTSIDE of the web root directory (For security purposes). The format for the usernames and passwords in this file is username:encrypted-PW – here is a guide on how to generate the encrypted password. The “AuthUserFile” needs to be updated, and the “AuthName” parameter should be updated as well.

# Placed @ appropriate folder
# Requires additional authentication.
AuthName "Authenticate"
AuthUserFile "/PATH/TO/passwd"
AuthType Basic
Require valid-user

This snippet requires additional authentication only IF the user is not IP whitelisted. The notes about changing the “AuthUserFile” and “AuthName” parameters still apply.

# Placed @ appropriate folder
# Requires either IP whitelisting or additional authentication
AuthName "Authenticate"
AuthUserFile "/PATH/TO/passwd"
AuthType Basic

<RequireAny>
	Require valid-user
	Require ip 0.0.0.0
	Require ip 0.0.0.0
</RequireAny>
Posted in

5 Comments

  1. oprolevorter on October 12, 2019 at 9:53 pm

    Really clean site, thankyou for this post.

  2. Paul on February 23, 2021 at 9:53 pm

    Very nice thank you!

  3. 인터넷 바카라 on April 2, 2021 at 9:12 am

    Oh my goodness! Impressive article dude! Thank you, However I
    am experiencing difficulties with your RSS. I don’t understand the reason why I can’t join it.
    Is there anybody else having identical RSS problems?
    Anyone who knows the answer will you kindly respond?
    Thanx!!

  4. mgm 바카라 on April 3, 2021 at 11:21 pm

    Hi there! Quick question that’s completely off topic.
    Do you know how to make your site mobile friendly? My blog looks weird when browsing from my iphone.
    I’m trying to find a theme or plugin that might be able to fix this problem.
    If you have any suggestions, please share.
    With thanks!

  5. xo 카지노 on April 5, 2021 at 5:07 pm

    Its like you read my mind! You seem to know so much about this, like you wrote
    the book in it or something. I think that you can do with some pics to drive the message home a bit, but
    instead of that, this is magnificent blog.
    An excellent read. I’ll definitely be back.

Leave a Comment





Table of Contents