Apache Tips

On this page are various tips that can be used when you want to do more than just serve documents to the public-at-large.

When you move a file and want to automatically redirect browsers and search engines, put a line like this in the .htaccess file of the document root:

Redirect /pathname/document.php http://mydomain.ca/newpath/newdoc.php [R=301,L]

The R=301 part tells Apache to send back a 301 status code, which means “Moved Permanently”. This lets search engines know to update their records.

You must provide a complete URL in the third parameter, even if the domain name does not change.

To force people to enter a user name and password in order to see files in a certain directory, place lines similar to the following in the .htaccess file in the directory you wish to protect:

AuthUserFile /var/www/auth/my-password-list
AuthGroupFile /dev/null
AuthName "Restricted documents area"
AuthType Basic
require valid-user

You want to put your password file outside of Apache's tree. By default, a web server's document root is /var/www/localhost/htdocs, so placing the authentication files in /var/www/auth makes them unreachable via a web browser.

Next, to create or update the password file with user name+password pairs, you would:

cd /var/www/auth
htpasswd [-c] my-password-file username

Provide the -c option to create the file, then subsequently leave this option out.

You will be prompted for the password.

Perhaps you have a situation where you have sensitive information in files that are under Apache's document root and cannot readily change this situation. This is dangerous if anyone happens to have a bit of inside information (or is a good guesser).

For example, I had a client once with a situation where some programmers who were rather new to web-based applications had put their data files within the same directory as their PHP files. If someone happened to know or guess the name of a configuration file (might it be something common like “config.inc” perhaps?) then they could potentially view that file with a web browser, and perhaps they would see passwords or other sensitive information.

To avoid this you can place a directive in your httpd.conf file something like this:

<Files ~ "\.inc(.php)?$">
  Order allow,deny
  </Files>

The tilde (~) character signals Apache to allow regular expressions in the specification. So in the above example, this means to match any file that ends in ”.inc” with or without ”.php” after it; so neither “file.inc” nor “file.inc.php” would be permitted to be delivered to a user's browser.

Are you in the habit of placing database access passwords in-line in your PHP code? If so, you may want to consider that these could be exposed.

Imagine what would happen if you were to upgrade your Apache to a new version and, without thinking, you replace your configuration files with the supplied defaults. By default, Gentoo's portage does not place ”-D PHP5” in your /etc/conf.d/apache file. Therefore, when someone requests “www.mydomain.ca/index.php” they will see the text of your PHP file. And if that file happens to contain a password or the location of a file that contains passwords… whoops! You've just compromised the security of one or more servers!

To avoid this, always put your configuration files that hold sensitive information into a directory that is outside of your document root. This way even if someone happens to see the name of that file they won't be able to view it with a web browser.