Editing .htaccess – OK or NOT?

[Adam Kiss]

Hi all,

I had to change few things in my .htaccess, due to host supporting only mod_rewrite properties. Is it ok? These things are gone:

Options -Indexes
Options +FollowSymLinks

I think, that indexes are denied in control panel, so this should be ok

ErrorDocument 404 /index.php

This should be set in CP again, I think

<Files favicon.ico>
  ErrorDocument 404 "The requested file favicon.ico was not found.
</Files>

<Files robots.txt>
  ErrorDocument 404 "The requested file robots.txt was not found.
</Files>

I'm not sure about this one

<FilesMatch "\.(inc|info|module|sh|sql)$|^(\..*)$">
  Order allow,deny
</FilesMatch>

I hope this is just additional safety

<IfModule mod_php5.c>
  php_flag magic_quotes_gpc		off
  php_flag magic_quotes_sybase		off
  php_flag register_globals		off
</IfModule>

Again, additional safety

DocumentIndex ...

php gets taken first, so this is set, I hope.

Any comments?

[ryan]

It should be fine to remove all of those.

I would suggest disallowing indexes just for security (keeps prying out of directories without index files). But if indexes are already denied, then all good.

The ErrorDocument stuff is just an optimization to keep the favicon.ico and robots.txt requests from getting sent to PW. It is fine to remove those.

The FilesMatch is a secondary measure and it should be okay to remove. Several of the RewriteRules are doing roughly the same thing.

The php_flags are just optimization and are fine to remove.

Likewise DirectoryIndex is fine to remove.

[drilonb]

If someone is using 1and1 hosting this is my solutuion to work Processwire in 1and1

	

        AddType x-mapp-php5 .php .html .htm
        AddHandler x-mapp-php5 .php .html .htm

        RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteBase /
RewriteRule ^(.+) - [PT,L]

[ryan]

Thanks for posting. I'm guessing this part is necessary because 1&1 is defaulting to PHP4? (and this forces it to use PHP5?)

AddType x-mapp-php5 .php .html .htm
AddHandler x-mapp-php5 .php .html .htm

There are some security considerations with making HTML documents run through PHP, so unless you need that, you may want to remove the .html and .htm extensions from being parsed by PHP.

Why are these lines necessary for 1&1?

RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

Is looks like this redirects a non-www hostname to a www hostname (we're doing the opposite with processwire.com).

Thanks,

Ryan

[drilonb]

Yes this code is for if someone type site.com to R to www.site.com

RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

but with out this doesn't work in 1&1 or work just first page when you try to go to other pages u will got error 500

Error 500 - Internal server error

An internal server error has occurred!

Please try again later.

RewriteBase /  this line is in processwire htaccess but is off and need to be on for 1and1 hosting, in other servers work without it,
RewriteRule ^(.+) - [PT,L]

[ryan]

Thanks for posting this. 1&1 is a large hosting provider, and if they require modifications to the default htaccess in order for the site to work, this is really good to know about. I'm sure this will be helpful to others.

I'm just wondering if there is anything I can do to avoid having it not work in the first place at 1&1... it's not safe for me to assume a www redirect in the default .htaccess file, or to apply a rule like that based on the status of HTTPS. They must have an unusual configuration at 1&1. I will do more research into this.

[drilonb]

RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

  this is not necessary, work and with out it only RewriteBase / need to be on to work PW in 1and1,

[ryan]

Okay that's good to know, thanks for the clarification. We've already got the note about the RewriteBase commented in the htaccess file so I won't worry about that one. But knowing that it's required at 1&1 (a fairly major hosting service) I might need to call more attention to this in the install directions.

[RedGreen]

This may be helpful to anyone using 1and1 recently - I used the htaccess file from 3.0.62 and simply uncommented the RewriteBase / line.  No other changes necessary.