Hosting blog

Here’s how you can convert the `.htaccess` instructions into a format suitable for the Joomla JCE editor's code view: 1. **Open the Joomla JCE editor** and switch to the **Code** view by clicking on the code icon (usually represented by `</>`). 2. **Paste the following code** into the editor: ```html

How to Use .htaccess

Today, the use of the .htaccess text file is extensive. .htaccess works on an Apache server, which runs on almost every web server today. You can use it, for example, if you have web hosting and do not have access to the global Apache server settings. You can also use it if you host your own server. Not every part of a website is best configured with global Apache server settings; you can uniquely configure each part of your site with this text file to suit your web application.

You can encounter .htaccess in two forms. The first form is basic, as a text file: htaccess.txt. The problem with this is that if a potential attacker scans your website using an ACP (Access Checker Page), it will reveal that htaccess.txt is accessible, which is not ideal for you since someone other than you could know your Apache server settings. You can address this by removing the extension and adding a prefix of . (dot), turning the text file htaccess.txt into a hidden text file .htaccess, making this text file neither readable nor accessible from outside. Another important thing is that htaccess.txt applies to all directories below the root. If you place it in the root of the website, it will apply to the entire site, unless you place another .htaccess file in a lower directory that overrides the settings from the root.

Apache Server Settings

Error Reporting On/Off

php_flag display_errors off
php_flag html_errors off

Error Documents

Error documents are pages displayed after an event that results in an error.

List of Error Codes and Messages

• 300 – Multiple Choices
• 301 – Moved Permanently
• 302 – Moved Temporarily
• 303 – See Other
• 304 – Not Modified
• 305 – Use Proxy
• 307 – Temporary Redirect
• 400 – Bad Request
• 401 – Unauthorized
• 402 – Payment Required
• 403 – Forbidden
• 404 – Not Found
• 405 – Method Not Allowed
• 406 – Not Acceptable
• 407 – Proxy Authentication Required
• 408 – Request Timeout
• 409 – Conflict
• 410 – Gone
• 411 – Length Required
• 412 – Precondition Failed
• 413 – Request-URI Too Large
• 414 – Request-URI Too Long
• 415 – Unsupported Media Type
• 416 – Requested Range Not Satisfiable
• 417 – Expectation Failed
• 500 – Internal Server Error
• 501 – Not Implemented
• 502 – Bad Gateway
• 503 – Service Unavailable
• 504 – Gateway Timeout
• 505 – HTTP Version Not Supported

Writing to .htaccess

ErrorDocument 403 /errors/403.HTML
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html
ErrorDocument 502 /errors/502.html
ErrorDocument 503 /errors/503.html

Based on the location of the .htaccess file, create a directory called errors and then create pages 403.html, 404.html, etc. in it. You can write any code you want in the new pages.

File Rules

Sometimes, you need special settings for one or more files.

<Files filename.extension>
    # Rules
</Files>

For example:

<Files index.php>
    php_flag display_errors off
</Files>

File Format Rules

Or sometimes you need special settings for one or more file types.

<FilesMatch ".(extension|extension|extension)$">
    # Rules
</FilesMatch>

For example:

<FilesMatch ".(py|js|ztmp|vdf|png|bmp|ico|jpg|gif|jpeg|pdf|cfg|ini|dat|cmd|exe|txt)$">
    # Specifies the file type
    ForceType application/octet-stream
    # Specifies how the file should behave. Attachment means "attachment" = the file cannot be opened, only downloaded.
    Header set Content-Disposition attachment
</FilesMatch>

All files with the extensions listed in FilesMatch will only be downloadable by visitors and cannot be opened or executed.

Access Control on the Web

Learn the most important thing: how to control where visitors are allowed or denied access.

• Allow means access is permitted.
• Deny means access is denied.

Access denied results in a 403 error, showing your 403 document.

Example: Deny access to everyone and then allow specific users based on their IP addresses.

Order Deny,Allow
Deny from all
# My office
Allow from 12.123.123.123
# My home
Allow from 123.123.123.132
# Colleague Ivan H.
Allow from 12.12.12.123
# Colleague Bc. Jiří V.
Allow from 12.12.12.123
# Entire company if IP address is from the same range
Allow from 12.12.12.*

Example: Allow access to everyone, but block users based on their IP addresses.

Order Deny,Allow
Allow from all
# Spammer Loupák
Deny from 12.123.123.123
# Hacker Petrick
Deny from 123.123.123.132
# Hacker Anonym
Deny from 12.12.12.123
# Spammer from China, block hostname provider, e.g., 67456.dynb.aprise.com.cn
Deny from *.cn

Blocking Access to Files

For example, configuration files of web applications with important data.

Example: Block access to everyone and then allow specific users based on their IP addresses.

<Files phpinfo.php>
    Order Deny,Allow
    Deny from all
    # My office
    Allow from 12.123.123.123
</Files>

Example: Block access to all files with a certain extension and then allow specific users based on their IP addresses.

Block access to all files with a certain extension. For example, block external access to all Python files (.py) and shell scripts (.sh).

<Files *.py>
    Order Deny,Allow
    Deny from all
    # My office
    Allow from 12.123.123.123
</Files>

<Files *.sh>
    Order Deny,Allow
    Deny from all
    # My office
    Allow from 12.123.123.123
</Files>

Or more simply:

<FilesMatch ".(py|sh)$">
    Order Deny,Allow
    Deny from all
    # My office
    Allow from 12.123.123.123
</FilesMatch>