Htaccess Cheatsheet
Requre HTTP Basic Auth
This is the most common thing that one may need an htaccess file. Implementing a really basic username/password around a site so that you can't see any of it unless you plug in the details. This also works well for APIs though too.
AuthType Basic
AuthName "Protected Directory"
AuthUserFile "/var/www/my-site/.htpasswd"
Require valid-user
That would require a .htpasswd file at /var/www/my-site though, so don't forget to put one there, and make sure that is not a public area in your apache config.
Apply To Specific Routes
Usually, I set the .htaccess file within a folder that needs protecting. However, if you wish to use this on something like a WordPress site for which you wish to protect a route/path (which isn't a folder), then you can use the following example to apply the authentication requirement to just that route(s).
# Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/my/url/route require_auth=true
# Auth stuff
AuthUserFile /var/www/my-site/.htpasswd
AuthName "Password Protected"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# An authenticated user
Require valid-user
# Or if the "require_auth" var is NOT set (any route that did not match our regex for routes requiring auth).
Allow from env=!require_auth
Allow Certain Folders
If you want to block all folder except certain ones, read my post on Htaccess - Require Auth For Everywhere Except Whitelist.
Allow Certain Routes Based on IP
The previous examples showed you how to lock down certain routes/folders to those that could provide the HTTP basic auth user/password. If you wish to lock down a route simply through IP whitelisting, you could do so like this:
RewriteEngine on
# specify the areas you wish to restrict
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin\/(.*)$
# allow people using the following IPs through area
RewriteCond %{HTTP:X-Forwarded-For} !^www\.xxx\.yyy\.zzz$
RewriteCond %{HTTP:X-Forwarded-For} !^www\.xxx\.yyy\.zzz$
RewriteRule ^(.*)$ - [R=403,L]
The example above uses tests the IP based on the X-Forwarded-For header that a proxy might add.
If you are not using a proxy, then you could use the following instead:
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx$
Htpasswd
The htpasswd file can be used to list all the users and their hashed passwords, that should have access to the site. There should be one line for each user. E.g.
user1:$2y$05$5WwxMM7hsG0J4gbfQty1BOPO7xYp7NiGT3iq4TlnTRB7sZJDn49pa
user2:$2y$05$/ofEZc3e0w82TFLuIcptiuv9ifyUtFlk1cmV5logDYDabRlZEvBdC
user3:$2y$05$ozer.xrEfhWbnyJgzFgtS..XMip2cZeNasg6s3VNW9uwKlDXwBZsS
To generate a line for a new user in the file, run the following script (swapping out the variables).
USERNAME="myUsername"
PASSWORD="myPassword"
htpasswd -Bbn $USERNAME $PASSWORD
Redirect To Index.php Except Existing Files And Directories
If you are using a PHP framework that implements a routing engine, you may wish for Apache to route all requests to index.php unless its for a file that already exists (e.g. a Javascript script file, or an image).
This is as easy as:
RewriteEngine On
# Don't redirect if matches file
RewriteCond %{REQUEST_FILENAME} !-f
# Don't redirect if matches directory
RewriteCond %{REQUEST_FILENAME} !-d
# Redirect everything else to index.php
RewriteRule ^ index.php [QSA,L]
sudo a2enmod rewrite
Redirect HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
301 to 302 for a permanent redirect for SEO rankings.
Validator
To perform of a basic check of your htaccess file for mistakes, you may wish to use htaccesscheck.com
References
First published: 12th February 2021
