Contains examples:
* preventing directory listing (protect your images/zips etc)
* redirects (ex. moving Mambo/Joomla to one other directory)
* prevent hot linking (prevent unpaid and autorised linking and stealing)
* protect the php in a Mambo/Joomla wrapper
For the users of this forum:: This is an extract from a guide that will appear on a site a group of professionals is launching within the next couple of days. The formal announcement will follow soon. The site will provide dedicated and professional support to Joomla! & Mambo users and is the result of certain events on this forum over the past month. Tutorials will be accessible through the specific site and will be posted here as well as pay-back to this community. This is just a tiny little piece of what's coming. Stay tuned!
note: I will not give support on individual htaccess issues on this forum after publishing this guide so please direct them to the right sections in this forum.
Introduction
An htaccess file is a simple ASCII file, such as you would create through a text editor like NotePad or SimpleText. Many people seem to have some confusion over the naming convention for the file, so let me get that out of the way.
.htaccess is the file extension. It is not file.htaccess or somepage.htaccess, it is simply named .htaccess
In order to create the file, open up a text editor and save an empty page as .htaccess (or type in one character, as some editors will not let you save an empty page). Chances are that your editor will append its default file extension to the name (ex: for Notepad it would call the file .htaccess.txt). You need to remove the .txt (or other) file extension in order to get yourself ‘htaccessing’ You can do this by right clicking on the file and renaming it by removing anything that doesn't say .htaccess. You can also rename it via telnet or your ftp program, and you should be familiar enough with one of those so as not to need explaining. This renaming the .txt to .htaccess is one of the prerequisites of using SEO/SEF with Joomla/Mambo
htaccess files must be uploaded as ASCII mode, not BINARY. You need to CHMOD the htaccess file to 644 or (RW-R--R--). This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security. (For example, if you have password protected directories, if a browser can read the htaccess file, then they can get the location of the authentication file and then reverse engineer the list to get full access to any portion that you previously had protected. There are different ways to prevent this, one being to place all your authentication files above the root directory so that they are not www accessible, and the other is through an htaccess series of commands that prevents itself from being accessed by a browser, more on that later)
Most commands in htaccess are meant to be placed on one line only, so if you use a text editor that uses word-wrap, make sure it is disabled or it might throw in a few characters that annoy Apache to no end, although Apache is typically very forgiving of malformed content in an htaccess file. The best thing to do is use Notepad or Notepad-Pro or Dreamweaver or something equivalent.
htaccess is an Apache thing, not an WindowsSerevr/NT thing. There are similar capabilities for W/NT -servers, though in our professional experience and personal opinion, W/NT's ability in these areas is severely handicapped. But that's not what we're here for.
htaccess files affect the directory they are placed in and all sub-directories, that is an htaccess file located in your root directory (yoursite.com) would affect yoursite.com/content, yoursite.com/content/contents, etc. It is important to note that this can be prevented (if, for example, you did not want certain htaccess commands to affect a specific directory) by placing a new htaccess file within the directory you don't want affected with certain changes, and removing the specific command(s) from the new htaccess file that you do not want affecting this directory. In short, the nearest htaccess file to the current directory is treated as the htaccess file. If the nearest htaccess file is your global htaccess located in your root, then it affects every single directory in your entire site.
Before you go off and plant htaccess everywhere, read through this and make sure you don't do anything redundant, since it is possible to cause an infinite loop of redirects or errors if you place something weird in the htaccess.
Also...some sites do not allow use of htaccess files, since depending on what they are doing, they can slow down a server overloaded with domains if they are all using htaccess files. I can't stress this enough: You need to make sure you are allowed to use htaccess before you actually use it. Some things that htaccess can do can compromise a server configuration that has been specifically setup by the admin, so don't get in trouble.
Now here is some examples and howto’s:
Preventing Directory listing
Do you have a directory full of images (such as your Jooma/images/Stories-folder) or zips (in your repository-download folder) that you do not want people to be able to browse through? Typically a server is setup to prevent directory listing, but sometimes they are not. If not, become self-sufficient and fix it yourself:
Code: Select all
IndexIgnore *The * is a wildcard that matches all files, so if you stick that line into an htaccess file in your images directory, nothing in that directory will be allowed to be listed. On the other hand, what if you did want the directory contents to be listed, but only if they were HTML pages and not images?:
Code: Select all
IndexIgnore *.gif *.jpgThis would return a list of all files not ending in .jpg or .gif, but would still list .txt, .html, etc.
Redirects
(for instance your Mambo or Joomla installation from one site/directory to one other)
Ever go through the nightmare of changing significantly portions of your site, then having to deal with the problem of people finding their way from the old pages to the new? It happens often when updating, changing hosts, changing to sub-directories etc. It can be nasty. There are different ways of redirecting pages but the most effective way of doing it through htaccess.
htaccess uses redirect to look for any request for a specific page (or a non-specific location, though this can cause infinite loops) and if it finds that request, it forwards it to a new page you have specified:
Code: Select all
Redirect /olddirectory/oldfile.html http://yoursite.com/newdirectory/newfile.htmlNote that there are 3 parts to that, which should all be on one line : the Redirect command, the location of the file/directory you want redirected relative to the root of your site (/olddirectory/oldfile.html = yoursite.com/olddirectory/oldfile.html) and the full URL of the location you want that request sent to. Each of the 3 is separated by a single space, but all on one line. You can also redirect an entire directory by simple using
Code: Select all
Redirect /olddirectory http://yoursite.com/newdirectory/ This is extremely useful when you move Mambo or Joomla from one directory to another!
Using this method, you can redirect any number of pages no matter what you do to your directory structure. It is the fastest method that is a global affect.
Preventing hot linking of images and other file types
Hot linking" is a curse phrase. Also known as "bandwidth stealing" by the angry site owner, it refers to linking directly to non-html objects not on one own's server, such as your carfully designed and paid for Joomla template-logo, stories/images, .js files etc. The victim's server in this case is robbed of bandwidth (and in turn money) as the violator enjoys showing content without having to pay for its deliverance. The most common practice of hot linking pertains to another site's images.
Using .htaccess, you can disallow hot linking on your server, so those attempting to link to an image or CSS file on your site, for example, is either blocked (failed request, such as a broken image) or served a different content (ie: an image of an angry man) . Note that mod_rewrite needs to be enabled on your server in order for this aspect of .htaccess to work. Inquire your web host regarding this.
With all the pieces in place, here's how to disable hot linking of certain file types on your site, in the case below, images, JavaScript (js) and CSS (css) files on your site. Simply add the below code to your .htaccess file, and upload the file either to your root directory, or a particular subdirectory to localize the effect to just one section of your site:
Code: Select all
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F] Be sure to replace "mydomain.com" with your own. The above code creates a failed request when hot linking of the specified file types occurs. In the case of images, a broken image is shown instead.
DO NOT HOTLINK! IT'S A THEFT!
Prevent direct access to PHP in wrapper
If you would like to provide access to a number of php files via the Joomla/Mambo wrapper menu item you can use some code in the external script:
The following code in .htaccess works to block direct access to the script while not causing any problems with access via the wrapper. It''s for a script that exists outside of Joomla and Mambo. Note this is not the "core" .htaccess-file!
RewriteEngine On
RewriteBase /
# Blocking direct access
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
RewriteCond %{REQUEST_URI} ^.*index\\.php$
RewriteRule .* - [F]
You should also go through the Apache User's Guide: http://httpd.apache.org/docs/ for more detailed information if you are really serious about making your life easier as a webmaster. You don't need to update all 4,000 of the pages on your site individually, by hand, in order to change one file reference!
Assembled & Written by:: Leo Lammerink
Source::
Javascriptkit
Elpie (your highness) – on the Joomla Forum
Gerald UK_Hotmail
Feyd – Mod on JK Forum
JooMa-Desk staff
Mirawati - IndoWebServices
Fujiyati - IndoWebServices
(favorite place of my wife.....)
from the kiss
