.htaccess guide

Any adult webmaster should use .htaccess to protect their site from hotlinkers at least.

  • Basic requirements of .htaccess
  • Protect your content from hotlinkers & bookmarks
  • referer protection with video clips or JavaScript
  • Redirect all 404 not found and other errors to a page of your choosing
  • Ban certain IPs from accessing your site, or only allow certain IPs
  • Require passwords to enter a certain area

    For more extensive .htaccess information, use the NCSA authentication tutorial
    This mosaic tutorial includes step by step basic by-password authentication,
    info on multiple usernames & passwords, it has examples, and general information.

    .htaccess info for Netscape servers
    .htaccess files aren't supported by the Netscape servers, but
    the Netscape servers do support ".nsconfig" files, which do much the
    same thing in a slightly different fashion. Use the link above to find
    out more.


    Basic requirements of .htaccess

    Unix (Linux) required
    To use .htaccess, you'll need to be on a server running Linux or some other
    Unix like operating system, such as FreeBSD, and using server software such as
    Apache or another server that supports it. In other words, you can't can't
    use it with Windows NT or other Microsoft OSs. But then again, you really
    don't want to be hosted on NT anyway, Linux & Apache make a much better
    web server anyway.
    .htaccess info for Netscape servers

    Name and upload the file properly
    No matter what you're using .htaccess for, be careful to be sure that
    you have named the file .htaccess . Not .htaccess.txt or htaccess ,
    this is a common error. When using windows the easiest way to make sure
    that Notepad or another program doesn't add the .txt extension is to
    quote the file name in the Save As dialog, as such: ".htaccess" .

    Next you need to make sure the file is uploaded to the server in ASCII mode.
    Your FTP client probably has a check box that allows you to choose either
    ASCII, binary, or automatic. This is the most common problem.

    The protected directory
    .htacess files affect the directory in which they are located and the sub-directories
    of that directory.
    (note - a directory is the same as a Windows "folder")
    Therefore, webmasters normally use a "members" directory for anything
    they want to protect, with an "images" sub-directory inside that.
    You then put any samples or other "unprotected" items in a different directory.
    For example, the public area URL would be:
    www.yourdomain.com/samples.htm
    Members area URLs:
    www.yourdomain.com/members/gallery1.htm
    and
    www.yourdomain.com/members/images/pic1.jpg


    Protect your content from hotlinkers & bookmarks

    This .htaccess technique keeps other sites from "stealing" your content
    by using a tag such as <img src="http://yourdomain.com/pic1.jpg">
    It also keeps them from providing a direct link to your content pages.

    First, be sure to set up your "members" directory as explained above.
    Be sure that view this page full screen so the line breaks don't mess up.
    Then open Notepad and paste in the following code, depending on which AVS you use:
    (note: We recently added the (:80)* part to our suggested code.
    It should be helpful for some AOL users, and anyone including a port
    number. It hasn't been thoroughly tested yet though. Please
    let us know
    how it works for you.)


    VIP-ID

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*YOURSITE.com(:80)*/ [NC]
    RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*vip-id.com(:80)*/ [NC]
    RewriteRule /* http://%{HTTP_HOST}/ [R,L]


    Adult Check

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*YOURSITE.com(:80)*/ [NC]
    RewriteCond %{HTTP_REFERER} !^http://id.adultcheck.com(:80)*/ [NC]
    RewriteRule /* http://%{HTTP_HOST}/ [R,L]

    Of course, where it says "your-site.com", you need to replace
    that part with the domain name of your site.

    Then FTP this file into your members directory, naming it .htaccess
    Notice the dot ( . ) in the name. Some people mistakenly leave it off.

    Other people mistakenly call it members.htaccess or something.
    Don't do that. It just called .htaccess
    When you FTP it, make sure to set your FTP program to send it in
    ASCII or TEXT mode. If your using another AVS besides AC you'll
    need to replace that line with the appropriate URL.

    Referer protection with video clips or JavaScript

    Video players such as Microsoft media player do not properly
    pass the HTTP_REFERER variable used above. JavaScript based menus
    suffer from the same problem. Therefore, neither are not compatible
    with the .htaccess configurations described above.

    If you're using JavaScript menus, you can simply switch over to cgi
    based menus instead, or you can use either of the techniques that you use
    for video clips.
    CGI-Fast.com can help you with cgi based menus.
    If you have video clips on your site such as mpg, avi, or RealVideo,
    you have two choices, allow the null referer, or use a cookie.
    To allow a null referer, you'll add one line, so it'll look like this:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*YOURSITE.com(:80)*/ [NC] RewriteCond %{HTTP_REFERER} !^http://id.adultcheck.com(:80)*/ [NC] RewriteCond %{HTTP_REFERER} !="" RewriteRule /* http://%{HTTP_HOST}/ [R,L]

    That's it for the null referer method, you're done.
    Unfortunately, that also allows people to bookmark the page.
    Not really a problem on regular AVS sites, but many Gold AVS
    webmasters don't want people bookmarking.

    To prevent bookmarking, you can use a cookie to determine if they logged in
    through the AVS script. Add this line to your .htaccess instead:

    RewriteCond %{HTTP_COOKIE} !(^|(.+;)*)id=valid(;.*|$)

    So now your .htaccess looks like this:
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*YOURSITE.com(:80)*/ [NC] RewriteCond %{HTTP_REFERER} !^http://id.adultcheck.com(:80)*/ [NC] RewriteCond %{HTTP_COOKIE} !(^|(.+;)*)id=valid(;.*|$) RewriteRule /* http://%{HTTP_HOST}/ [R,L]
    You need some javascript to set the cookie.
    Paste the foillowing javascript into the <head> section of
    you first protected page:
    (Often www.you.com/members/index.html.)
    Your site is now protected.

    Require passwords to enter a certain area

    Here is the .htaccess code to require passwords:

    AuthType Basic
    AuthUserFile /home/user/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Members Area"
    <Limit GET>
    require valid-user
    </Limit>


    Redirect all 404 not found and other errors to a page of your choosing

    404 errors are generated when users try to go to a page that dosen't
    exist, like a typo in the url.
    To redirect a 404, add the .htaccess code below, substituting the url
    of the page you want the user to be redirected to.


    ErrorDocument 404 http://www.doamin.com/pagemissing.htm
    Also works for other error numbers, such as 403


    Ban certain IPs from accessing your site, or only allow certain IPs

    Allow only certain users from certain ISPs to access:

    <Limit GET>
    order deny,allow
    deny from all
    allow from your.isp.net
    </Limit>

    Block certain users from certain ISPs:

    <Limit GET>
    order allow,deny
    allow from all
    deny from bad.people.com
    </Limit>


    For more extensive .htaccess information, use the
    NCSA authentication tutorial
    This mosaic tutorial includes step by step basic by-password authentication,
    info on multiple usernames & passwords, it has examples, and general information.