Htaccess Cheatsheet
Requre HTTP Basic Auth
This is the most common thing that one may need an htaccess file. Implementing a really basic username/password around a site so that you can't see any of it unless you plug in the details. This also works well for APIs though too.
AuthType Basic
AuthName "Protected Directory"
AuthUserFile "/var/www/my-site/.htpasswd"
Require valid-user
That would require a .htpasswd file at /var/www/my-site though, so don't forget to put one there, and make sure that is not a public area in your apache config.
Allow Certain Folders
If you want to block all folder except certain ones, read my post on Htaccess - Require Auth For Everywhere Except Whitelist.
Htpasswd
The htpasswd file can be used to list all the users and their hashed passwords, that should have access to the site. There should be one line for each user. E.g.
user1:$2y$05$5WwxMM7hsG0J4gbfQty1BOPO7xYp7NiGT3iq4TlnTRB7sZJDn49pa
user2:$2y$05$/ofEZc3e0w82TFLuIcptiuv9ifyUtFlk1cmV5logDYDabRlZEvBdC
user3:$2y$05$ozer.xrEfhWbnyJgzFgtS..XMip2cZeNasg6s3VNW9uwKlDXwBZsS
To generate a line for a new user in the file, run the following script (swapping out the variables).
USERNAME="myUsername"
PASSWORD="myPassword"
htpasswd -Bbn $USERNAME $PASSWORD
Redirect To Index.php Except Existing Files And Directories
If you are using a PHP framework that implements a routing engine, you may wish for Apache to route all requests to index.php unless its for a file that already exists (e.g. a Javascript script file, or an image).
This is as easy as:
RewriteEngine On
# Don't redirect if matches file
RewriteCond %{REQUEST_FILENAME} !-f
# Don't redirect if matches directory
RewriteCond %{REQUEST_FILENAME} !-d
# Redirect everything else to index.php
RewriteRule ^ index.php [QSA,L]
sudo a2enmod rewrite
Redirect HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
301 to 302 for a permanent redirect for SEO rankings.
References
First published: 12th February 2021