.htaccess Generator: Apache Config Without the Syntax Nightmare
π· Taylor Vick / Pexels.htaccess Generator: Apache Config Without the Syntax Nightmare
The .htaccess file is one of the most powerful and most misunderstood files on an Apache server. Learn what it does, the rules every site needs, common pitfalls, and how to generate correct config without memorizing cryptic syntax.
I learned about .htaccess files the hard way. I was setting up a WordPress site on shared hosting, had everything configured in the WordPress admin, and could not figure out why pretty URLs were returning 404 errors. The answer, buried in a Stack Overflow thread from 2011, was a one-liner in .htaccess. That file had been sitting there empty in the root of my site, completely ignored by me, doing absolutely nothing.
Once I understood what it was, I realized it was one of those files that is simultaneously simple and terrifying. Simple because it is just a plain text configuration file. Terrifying because a single typo sends your entire site into a 500 error state, and debugging is not exactly user-friendly.
If you want to skip the theory and get a correctly formatted file right now, the htaccess-generator tool will build it for you. But understanding what each directive does will save you hours of confusion when something does not behave as expected.
What .htaccess Actually Is
The .htaccess file (the name starts with a dot, which makes it a hidden file on Unix systems) is a directory-level configuration override for Apache web servers. When Apache serves a request for a file in a directory, it looks for an .htaccess file in that directory β and every parent directory up to the document root β and applies any configuration it finds there.
This is fundamentally different from the main Apache configuration file (httpd.conf or apache2.conf). The main config applies server-wide, requires root access to edit, and needs a server restart to take effect. .htaccess is per-directory, can usually be edited by whoever owns the web files, and takes effect immediately β no restart needed.
The trade-off is performance. Because Apache checks for .htaccess files on every single request (not just once at startup), there is a small but measurable overhead. On high-traffic production servers where you control the main config, it is generally better to put these rules in the virtual host config instead. But for shared hosting where you do not have that access, .htaccess is the only option.
There is also a critical prerequisite that catches a lot of people: .htaccess only works if Apache's AllowOverride directive is set to allow it. If it is set to None, Apache will silently ignore your .htaccess files, and all your rules will have no effect whatsoever.
The Three Rules Every Site Should Have
Over the years of working with Apache-based sites, I have settled on three .htaccess rules that I consider essentially mandatory for any production site. You can generate all of these quickly with the htaccess generator, but here is the reasoning behind each one.
1. Force HTTPS
If your site is available over both HTTP and HTTPS, users who type your domain into a browser without a protocol prefix will often land on the HTTP version first. This is a security problem (the connection is unencrypted) and an SEO problem (search engines may see two versions of your site as duplicate content).
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The R=301 makes this a permanent redirect, which tells search engines to update their index. The L flag means "stop processing rules if this one matches."
One important note: make sure your SSL certificate is actually installed and working before you add this redirect. If you add an HTTPS redirect before SSL is configured, you will lock yourself out of your own site.
2. Enable Gzip Compression
Text-based files β HTML, CSS, JavaScript, JSON, XML β compress extremely well. Enabling gzip compression at the Apache level means your server will automatically compress responses before sending them, often reducing file sizes by 60-80%. This costs a tiny amount of CPU time but dramatically reduces bandwidth usage and improves page load times.
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/css
AddOutputFilterByType DEFLATE text/javascript application/javascript
AddOutputFilterByType DEFLATE application/json application/xml
AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>
The <IfModule> wrapper is important β it makes this block conditional on mod_deflate being available. Without the wrapper, if the module is not installed, Apache will throw an error.
3. Disable Directory Listing
By default, if a visitor requests a URL that maps to a directory, and that directory does not have an index.html (or index.php, etc.), Apache will happily display a list of all files in that directory. This is a significant security exposure β it lets anyone browse your file structure, find backup files, old configs, and anything else you have uploaded but not linked to.
Options -Indexes
That is the entire directive. One line. It disables directory listing across the entire directory and its subdirectories. I genuinely cannot think of a production website scenario where you would want this enabled.
Common Pitfalls That Will Ruin Your Day
The AllowOverride Problem
I mentioned this earlier but it deserves emphasis because it is the single most common reason .htaccess files seem to "not work." If your server or virtual host configuration contains:
<Directory /var/www/html>
AllowOverride None
</Directory>
Then your .htaccess file is completely inert. Apache reads it but ignores it. The fix is to change None to All:
<Directory /var/www/html>
AllowOverride All
</Directory>
This requires access to the main Apache config, which means you need root access or your hosting provider needs to do it. On shared hosting, AllowOverride All is usually the default, which is why this issue is more common on VPS and dedicated server setups where you control the config.
Enabling Both www and Non-www Redirects
This is a very easy mistake to make. You want to redirect http:// to https://, and you also want to standardize on www or non-www. So you write two separate redirect rules. The problem is that these two rules can conflict with each other, creating redirect loops or chains that hurt SEO.
The right approach is to handle both in a single pass. Pick one canonical form (I recommend non-www with HTTPS) and write the rule so it checks both conditions together:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteRule ^ https://yourdomain.com%{REQUEST_URI} [R=301,L]
This handles all four cases (http non-www, https non-www, http www, https www) and redirects everything to https://yourdomain.com in a single redirect.
Using .htaccess on Nginx
This one sounds obvious but I have seen it cause real confusion. Nginx does not read .htaccess files. At all. It is purely an Apache concept. If you migrate from Apache to Nginx (which many people do for performance reasons), all your .htaccess rules need to be manually translated into Nginx server block directives.
Some managed WordPress hosts use Nginx under the hood but advertise their control panel as supporting WordPress "the same way as Apache." When developers upload an .htaccess file expecting it to work, nothing happens, and debugging gets confusing. Always confirm which web server is actually running your site.
Forgetting the RewriteBase for Subdirectory Installs
If your application is installed in a subdirectory (e.g., yourdomain.com/blog/) rather than the root, many rewrite rules will break without a RewriteBase directive:
RewriteBase /blog/
This tells Apache the base path for rewriting URLs, so it does not try to apply rewrites relative to the document root.
.htaccess vs Editing httpd.conf Directly
There is a real debate in the Apache community about whether you should use .htaccess at all, versus putting everything directly in your virtual host configuration. Here is my honest take:
Use .htaccess when:
- You are on shared hosting with no access to the main config
- You need rules to apply to specific directories or subdirectories independently
- You need changes to take effect without a server restart (useful during active development)
- Multiple developers or teams need to manage configs for their own sections of a site
Use httpd.conf or virtual host config when:
- You control the server and care about performance
- The rules apply site-wide and never need to change per-directory
- You want the config to be version-controlled alongside your infrastructure code (not inside your web root)
For most solo developers and small teams on shared hosting, .htaccess is the practical answer. For production deployments at scale, the performance-conscious choice is to avoid .htaccess and put everything in the server config. The htaccess generator generates code you can paste into either location.
Practical Example: Setting Up a New WordPress Site
Here is a real-world walkthrough of configuring .htaccess for a fresh WordPress installation. WordPress needs mod_rewrite to work at all β without it, every page except the home page returns a 404.
Step 1: Start with what WordPress generates
When you set up permalinks in WordPress Settings > Permalinks, WordPress will try to write this to your .htaccess automatically:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
If WordPress cannot write the file (permission issues), it shows you this block and asks you to paste it manually. This is the minimum required for WordPress to function.
Step 2: Add HTTPS redirect above the WordPress block
Rules go above the # BEGIN WordPress comment because WordPress will rewrite everything between those comments when you save permalink settings:
# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# BEGIN WordPress
...
Step 3: Add performance and security directives
Below the # END WordPress comment, add compression and security headers:
# END WordPress
# Gzip compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/css text/javascript
AddOutputFilterByType DEFLATE application/javascript application/json
</IfModule>
# Browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
</IfModule>
# Disable directory listing
Options -Indexes
# Block access to sensitive files
<FilesMatch "\.(env|log|ini|bak|sql|conf)$">
Order allow,deny
Deny from all
</FilesMatch>
Step 4: Protect wp-config.php
This file contains your database credentials. Add explicit protection:
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>
The complete file (in the right order) should now handle HTTPS redirect, WordPress rewriting, compression, caching, and basic security hardening. You can generate this entire configuration in about 30 seconds using the htaccess generator tool β just check the options you need and copy the output.
Useful Directives Beyond the Basics
Once you have the fundamentals covered, here are some other things .htaccess can handle that developers often do not realize:
Custom error pages:
ErrorDocument 404 /404.html
ErrorDocument 500 /500.html
Password-protecting a directory:
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
Blocking specific IP addresses:
Deny from 203.0.113.42
Setting custom headers (useful for security):
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Preventing hotlinking of images:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain\.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|webp)$ - [F,NC]
Testing Your Changes
After editing .htaccess, test immediately. A syntax error will cause a 500 error for the entire directory. Here are the things I always check:
- Open the site in a browser and look for 500 errors
- Check the Apache error log β usually at
/var/log/apache2/error.logor/var/log/httpd/error_log - Use
apachectl configtest(if you have server access) to validate the main config - Test redirects explicitly with
curl -I http://yourdomain.comand check the response headers
The htaccess generator generates syntactically correct output for common use cases, which reduces the chance of typos causing a 500. But the logic of your rules β especially redirect chains β still needs human review.
Wrapping Up
.htaccess files are deceptively simple to write incorrectly. A forgotten RewriteEngine On, a misplaced [L] flag, or an AllowOverride None setting that you did not know existed can make your rules silently do nothing. The syntax for mod_rewrite in particular has some gotchas that I still sometimes get wrong after years of working with it.
The practical answer for most developers is to use a generator for the standard patterns (HTTPS redirect, compression, security headers, custom error pages) and understand the output well enough to debug when something is not working. The htaccess generator tool covers all the most common use cases, explains what each option does, and gives you output you can use immediately.
Keep a backup of your working .htaccess before every edit. Test on staging when possible. And when in doubt, start with the minimal configuration that makes things work, then add complexity one directive at a time.