外贸网站.htaccess配置指南：安全、性能与重定向

.htaccess是Apache服务器的配置文件，功能强大但也容易被误用。这个小小的文件可以做到：301重定向、URL重写、访问控制、防护设置、性能优化。但配置错误可能导致网站崩溃。本文详解外贸网站必备的.htaccess配置。

一、.htaccess基础

什么是.htaccess？

Apache Web Server的分布式配置文件
放在网站根目录，影响该目录及子目录
即时生效，无需重启服务器
文件名以点开头（隐藏文件）

存放位置：

/var/www/html/.htaccess  （Linux服务器）
或
C:\xampp\htdocs\.htaccess  （本地XAMPP）

通常放在网站根目录

注意事项：

备份！每次修改前先备份原文件
测试！先在测试环境测试
语法错误会导致500错误
有些主机商禁用部分功能

二、必做安全配置

1. 保护.htaccess自身


  Order Allow,Deny
  Deny from all

2. 保护wp-config.php（WordPress）


  Order Allow,Deny
  Deny from all

3. 禁止目录浏览

Options -Indexes

# 或者允许特定目录

  Options +Indexes

4. 禁止访问敏感文件

# 禁止访问所有隐藏文件

  Order Allow,Deny
  Deny from all


# 禁止访问特定文件类型

  Order Allow,Deny
  Deny from all

5. 阻止恶意请求

# 阻止通过URL传递的恶意代码

  RewriteEngine On
  RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
  RewriteRule .* - [F,L]

6. 防止图片盗链


  RewriteEngine on
  RewriteCond %{HTTP_REFERER} !^$
  RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain\.com [NC]
  RewriteCond %{HTTP_REFERER} !^https://(www\.)?google\..* [NC]
  RewriteCond %{HTTP_REFERER} !^https://(www\.)?bing\..* [NC]
  RewriteRule \.(jpg|jpeg|png|gif|webp)$ - [F,NC]


# 或者显示替代图片
# RewriteRule \.(jpg|jpeg|png|gif)$ https://yourdomain.com/hotlink.jpg [R=302,L]

三、HTTPS强制跳转

标准HTTP到HTTPS跳转


  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

或者更严格的写法


  RewriteEngine On
  RewriteCond %{HTTPS} !on [OR]
  RewriteCond %{HTTP_HOST} !^www\. [NC]
  RewriteRule (.*) https://www.yourdomain.com/$1 [L,R=301]

HSTS（HTTP严格传输安全）

# 强制浏览器只使用HTTPS（首次访问后生效）
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# 一年后浏览器记住只访问HTTPS版本

四、301重定向配置

1. 单个页面重定向

Redirect 301 /old-page.html https://yourdomain.com/new-page.html

2. 整个目录重定向

Redirect 301 /old-directory/ https://yourdomain.com/new-directory/

3. 域名重定向


  RewriteEngine On
  RewriteCond %{HTTP_HOST} ^olddomain\.com$ [NC,OR]
  RewriteCond %{HTTP_HOST} ^www\.olddomain\.com$ [NC]
  RewriteRule (.*)$ https://www.newdomain.com/$1 [L,R=301]

4. HTTP到HTTPS（非标准端口）


  RewriteEngine On
  RewriteCond %{SERVER_PORT} !^443$
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

5. 强制添加/或不添加www

# 强制添加www

  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^www\. [NC]
  RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [L,R=301]


# 强制不带www

  RewriteEngine On
  RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
  RewriteRule ^(.*)$ https://%1/$1 [L,R=301]

6. 删除末尾斜杠


  RewriteEngine On
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^(.*)/$ /$1 [L,R=301]

五、性能优化配置

1. 启用Gzip压缩


  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/xml
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/json
  AddOutputFilterByType DEFLATE image/svg+xml

2. 启用浏览器缓存


  ExpiresActive On
  
  # 图片
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
  
  # CSS和JS
  ExpiresByType text/css "access plus 1 month"
  ExpiresByType application/javascript "access plus 1 month"
  ExpiresByType application/x-javascript "access plus 1 month"
  
  # 字体
  ExpiresByType font/ttf "access plus 1 year"
  ExpiresByType font/woff "access plus 1 year"
  ExpiresByType font/woff2 "access plus 1 year"
  
  # HTML
  ExpiresByType text/html "access plus 1 day"
  
  # 默认
  ExpiresDefault "access plus 1 week"

3. 缓存控制头


  # CSS和JS缓存1个月
  
    Header set Cache-Control "max-age=2592000, public"
  
  
  # 图片缓存1年
  
    Header set Cache-Control "max-age=31536000, public"
  
  
  # HTML不缓存
  
    Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"

4. 禁用ETag（可选）


  Header unset ETag

FileETag None

六、WordPress专用配置

1. WordPress固定链接


  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]

2. 禁止访问wp-admin（保护后台）

# 只允许特定IP访问wp-admin

  Order Deny,Allow
  Deny from all
  Allow from 123.456.789.0  # 你的IP


# 或者用密码保护

  AuthName "Restricted"
  AuthType Basic
  AuthUserFile /path/to/.htpasswd
  Require valid-user

3. 禁止访问wp-includes


  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]

4. 禁止访问PHP文件上传目录


  Order Deny,Allow
  Deny from all

七、错误页面配置

自定义错误页面

# 404页面
ErrorDocument 404 /404.html

# 403页面（禁止访问）
ErrorDocument 403 /403.html

# 500页面（服务器错误）
ErrorDocument 500 /500.html

创建自定义错误页面

# 404.html 示例 Page Not Found

404 - Page Not Found

&;p>The page you're looking for doesn't exist.

Go to Homepage

八、IP访问控制

1. 允许特定IP访问

Order Deny,Allow
Deny from all
Allow from 123.456.789.0
Allow from 98.765.432.1

2. 禁止特定IP访问

Order Allow,Deny
Allow from all
Deny from 192.168.1.100
Deny from 10.0.0.0/8

3. 阻止垃圾爬虫

SetEnvIfNoCase User-Agent "badbot" bad_bot

  Order Deny,Allow
  Deny from env=bad_bot

九、常用.htaccess模板

完整模板（外贸网站推荐）

# 启用重写引擎

  RewriteEngine On
  RewriteBase /
  
  # HTTPS强制跳转
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  
  # 强制www
  RewriteCond %{HTTP_HOST} !^www\. [NC]
  RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


# 安全设置

  Order Allow,Deny
  Deny from all


Options -Indexes

# Gzip压缩

  AddOutputFilterByType DEFLATE text/html text/plain text/css application/json application/javascript text/xml application/xml


# 浏览器缓存

  ExpiresActive On
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType text/css "access plus 1 month"
  ExpiresByType application/javascript "access plus 1 month"


# HSTS

  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"


# WordPress固定链接

  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]

十、常见问题与排查

问题	原因	解决方案
500 Internal Server Error	语法错误	检查语法，逐行注释排查
重定向循环	规则冲突	检查HTTPS和www规则
规则不生效	mod_rewrite未启用	联系主机商启用
图片防盗链不工作	Referer被浏览器隐藏	使用其他防盗链方式
Gzip不生效	mod_deflate未启用	检查Apache模块