Hi. Looking forward to the book.

feedback: it’d be handy to have on the Members page a link to one zip file containing all book versions & files in order to grab everything in one swoop.

Great idea Brian, will try to implement for the next site update. Thank you for the feedback.

Hi Jeff,

I’m trying to find the file mentioned in the book, in the bottom section of page #11 (as pasted below).

I see several htaccess files to download, but do not see anything which seems to match the description in the book. Am I just missing it?

This book includes an .htaccess file with chapter-examples and inline-comments. Download here: https://htaccessbook.com/members/

Cheers, Max

Hi Max,

Here is a screenshot showing where to find it:

https://htaccessbook.com/wp/wp-content/uploads/2014/11/htaccess-chapter-examples.jpg

Note that some of the other templates also include examples from the book.

I am currently in chapter 4 and up to the moment there is only one thing I would recommend for future versions, that in Chapter 3, page 35, subtitle Installation it would be a good idea to mention a bit about CHMOD (unless I missed it), and that the htaccess file needs to have 755 permissions to work properly (at least with the servers I have tested).

It might seam kind a naive, but I had to learn the hard way a few years ago when I started with htaccess (of course I only used it for permissions, I didnt know it had such powerful abilities as outlined in the book), and for someone starting up it might hit a light and save time to know about it.

By the way, just received the book the other day (wednesday), only took 4 business days, and considering that I live in a small town in Costa Rica it was fast, normally it takes double that time.

This is a nicely conceived book, with a professional presentation, well written step by step technical reference with a human touch in the explanation. I like the idea of having a good tech book like this, searches always take time and are scattered, not mentioning unprecise or with little explanation at times.

Hey Leon, thank you for the great and insightful feedback, much appreciated. Just a note about the permissions of an .htaccess file, it actually is best to NOT use 755, but rather keep things as restrictive as possible with 644 or similar/better. IMO 755 is just too permissive, as it gives scripts write permissions and in general serves as a liability on the server. .htaccess normally works fine with much tighter permissions; in some cases however scripts like cPanel require looser access in order to add their own rules and etc.

Thanx for the explanation, in fact I read it on your other site (perishablepress.com) a few days ago, I didnt know it could work that way, I used to use a server with an old version of FreeBSD that required to have these kind of files executable by owner in order to work so I kept using it that way (now I am on Linux), tested it with 644 and works great with better security like you explained.

I havent been updating my sites for years with the excuse that they all worked well until I read about the security risks and frequent hacking that others have suffered, now I know that it is important to keep thing updated, most of all security wise.

Hi, I think I spotted a typo in the book on page 115 under Chapter 7, tighten security, first paragraph, it should be .htpassword but it mentions .htaccess when relating to the path for the password file.

Where it says:

To use this basic password-protection technique, edit the AuthUserFile path to match the location of your .htaccess file….

Another recommendation is to include the latest Gseries blacklist htaccess template in Members Area, under the section Downloads, Template Files.

I mention this because I was reviewing your site weeks ago and started to use the 2g series mentioned in a link on another article, when I found out that it was outdated.

Note: Don’t block my ip yet until I fully understand this, If I am commenting and or asking too much please let me know, haha.

Great idea, will try to add some links to the latest G-series blacklist in the Members Area. The book also discusses the latest (5G Blacklist), so more info can be found there as well (in the security chapter). Thank you for the feedback, much appreciated.

On page 131 of the book there is an example of whitelisting search engine bots. Should the module in the example be mod_authn_file.c?

From what I can find on BrowserMatchNoCase it’s part of mod_setenvif.c. I can’t find any mention of it in mod_authn_file.c.

Nice catch, you are correct:

https://httpd.apache.org/docs/2.4/mod/mod_setenvif.html#browsermatchnocase

Will update next version of the book.

Thank you for reporting!

For the past few weeks I’ve been struggling with htaccess rules that didn’t seem to work properly, despite being copied and pasted from your examples, or from elsewhere. I’ve rewritten some of them in a few different ways, yet each time they still didn’t work. I was beginning to wonder whether half the Apache modules were turned off.

Typically the problematic rules would be along the lines of issuing a 403 for certain URIs that either didn’t exist, or to which I wanted to deny access.

It’s only dawned on me today, after much Googling, that it wasn’t the rules that were the problem, or modules being turned off in Apache, but simply the lack of an ErrorDocument directive for each error code that I wished to return.

My website is on a hosted service that runs CPanel, which according to some people, seems to affect error return codes in some way.

As soon as I included ErrorDocument instructions for each return code, even just setting it to be the default value, such as:

ErrorDocument 403 default

then my rules started to work properly.

In your book, the discussion on the use of ErrorDocument only seems to cover custom error pages. I believe there is scope for an additional paragraph on why it makes sense to include an ErrorDocument line for each different error code (eg 403, 404, 410 etc.) that you plan to return even if you have no intention of using custom error pages.

The directives can simply inform Apache to use the default error messages. Depending on your hosting environment, the absence of ErrorDocument directives can make Apache ignore many of your htaccess rules entirely. Had I known this, I wouldn’t have spent the last few weeks wondering why some of my rules weren’t working.

Thanks for the feedback, Stuart. Never heard about this before, must be specific to cPanel? Either way, will add a note about this in the next book update.

I’m not sure of the all the details on this cPanel related anomaly, but here’s a thread on StackExchange that mentions it.

http://serverfault.com/questions/444986/apache-410-gone-instructions-not-working-with-mod-alias-nor-mod-rewrite

Ah, it’s a bug in cPanel. That makes more sense, still good to know. Thanks again for reporting.