How to Configure Apache .htaccess Files

What .htaccess actually is

A file named by AccessFileName (default .htaccess) can appear in each directory. When AllowOverride is not None, Apache walks every directory component from the URL’s mapped path upward, stat()ing for that filename until the first readable file is found or the filesystem root is reached. That means deep trees multiply syscalls per request even when no .htaccess exists—AllowOverride None short-circuits the walk entirely.

AllowOverride categories

Rather than binary on/off, Apache supports grouped directive classes so you can allow, for example, authentication overrides without permitting arbitrary rewrite rules:

Token	Typical directives enabled
`None`	No .htaccess processing—best default for performance
`AuthConfig`	AuthType, AuthUserFile, Require in legacy/basic auth setups
`FileInfo`	mod_rewrite directives, DefaultType, many response header tweaks
`Indexes`	Directory listing styling and autoindex options
`Limit`	Legacy HTTP method limits—prefer authz_core in 2.4
`All`	Everything permitted in .htaccess—avoid on shared hosting unless unavoidable

RewriteEngine and RewriteBase

In per-directory context (<Directory> or .htaccess), RewriteRule patterns are relative to the directory prefix stripped from the current path. RewriteBase /subdir/ adjusts substitution targets when your app lives under a mount point; mis-set bases produce redirect loops or 404 cascades that work in server config but fail only in .htaccess. Use RewriteLogLevel (legacy) or LogLevel rewrite:trace3 in controlled environments—never leave trace on production volumes.

Inheritance between directories

RewriteOptions Inherit (and variants) controls whether parent rewrite maps apply—useful for nested apps but easy to misconfigure. Document the inheritance graph when more than one .htaccess participates.

Security posture

.htaccess is just a file on disk: if CMS plugins or FTP accounts can write it, attackers can inject redirects to phishing or SEO spam. Prefer:

Immutable deploy artifacts (read-only docroot except uploads)
Version-controlled vhost snippets instead of runtime .htaccess edits
Central auth at the reverse proxy or SSO layer

Migrating to VirtualHost

Copy rules into <Directory> or <Location> inside the site’s vhost file, run apachectl configtest, reload, then remove .htaccess. Often you can drop RewriteBase entirely once rules live at the correct context. Performance impact is discussed in Apache performance tuning.

Enterprise context

Shared hosting historically relied on .htaccess because customers lacked root; managed Kubernetes or VM images should not. Pair docroot hardening with SELinux types (httpd_sys_content_t vs writable upload types) per Apache configuration guidance.

Frequently Asked Questions

Q.Which directives cannot be used in .htaccess at all?

Anything not marked as valid in the .htaccess context in Apache’s directive quick reference—examples include many server-wide tuning directives like Listen, LoadModule, and global LogLevel defaults. When in doubt, apachectl configtest after moving a block.

Q.Why does RewriteBase fix some rules only in .htaccess?

Per-directory rewrite applies after the directory prefix is stripped; RewriteBase tells mod_rewrite how to rebuild URLs for redirects and substitutions relative to that prefix. In server or vhost context the URL is already fully qualified differently, so the same rule may not need a base.

Q.How expensive is AllowOverride All?

Apache must stat each path segment for AccessFileName on every request hitting that tree, and parse any found files—CPU and I/O scale with depth and traffic. None removes that walk entirely.

Q.Is Auth basic in .htaccess acceptable?

Only over HTTPS and with strong password files outside the web root; enterprise deployments usually prefer SSO, client certificates, or reverse-proxy auth instead of long-lived .htpasswd files on shared systems.

Q.How do I debug rewrite loops safely?

Raise mod_rewrite log level temporarily in a staging copy with mirrored data; capture a minimal failing URL set; revert log level after diagnosis to avoid disk saturation.

Q.Can I rename AccessFileName to hide .htaccess?

You can set AccessFileName to a less guessable name, but obscurity is not authorization—combine with filesystem permissions and AllowOverride None where possible.

Q.What breaks when moving rules from .htaccess to VirtualHost?

Context changes alter RewriteRule path handling, Authorization provider merge order, and sometimes Options FollowSymLinks requirements—retest all redirects and auth-gated paths.

Q.How does .htaccess interact with PHP-FPM and nginx frontends?

Pure nginx frontends do not read Apache .htaccess; rules must be translated to nginx config or enforced in PHP. Hybrid setups need a single source of truth to avoid divergent behavior.