Hi Sid, welcome to the forums. The Charter for Apache forum: [webmasterworld.com...] and the Library: [webmasterworld.com...] have some handy links to references for common Apache tasks. It is a good dependable place to look first. From your question, it looks like there is some really bad advice floating around somewhere.

ErrorDocument 403 "<center><h1>Access is Forbidden.</h1></center>

is more likely to serve up a 500 than 404 or 403. The htaccess doesn't create pages, the html needs to actually be on a real page on your site, then you tell the server where to find it:

ErrorDocument 403 /403.html

Most servers have built in error pages so creating your own is optional. It is just more user friendly to build your own error pages.

Most shared hosting Apache server sites have a ControlPanel that lets you easily control how addon domains are served. You just set it to be either an addon or a subdomain. A subdomain can be accessed the way you describe but an addon cannot. If you set the root domain's htaccess file to serve up a 403 (Forbidden) or 404 (Not Found) then you may not be able to access the addon in any way. I don't think you want that to happen. Shared hosting is not configured the same way on all hosts, but most hosts can help you to set up addon domains to work the way you want using their control panel.

If you really do want to make it impossible to access those addon domains, that can be done, but first we need to know that we aren't working against the local server's setup.

Oh, and when you visit the Charter, you'll see that this is a self help group where we'll help you learn how to do things right, but we don't just hand out the code, so you need not worry about getting some untested code handed to you.

Hi not2easy,
Thanks for the quick reply. Much obliged.

Regarding the 403 Error Message: My coffee hadn't kicked in. As I said in the title, I wanted 404, and I have a custom 404 page for www.example.com. However, regarding the 403 message, the apache org website says you can do 4 things with errors - one of them being to display a message, and the example they provide for 403 is: ErrorDocument 403 "Sorry can't allow you access today" and I've tested and it works great every time.

But back to the main concern. All the shared hosts I've used are set up this way: "An addon domain, when created, points to a subfolder or subdomain of the main domain in our system." When creating the addon, you enter 1) addon domain name 2) Directory/Subdomain (i.e. folder you want domain to point to) 3) Password. That's it. Files are uploaded to this subfolder, and you CAN get to the addon domain one of the three ways I mentioned above unless you redirect or rewrite in htaccess.

Now, accepting this to be true, why is it BAD for me to want example.com to show it's 404 page for #2 or #3 above since I'd rather keep the websites separate? If there is a good reason from a G**gle perspective, then I'll do redirects or rewrites! I tried that earlier and with SO MANY conflicting examples, it didn't work and I feel quite comfortable updating htaccess. But I have to get this fixed. Could you please share proven code with me? Thanks a billion, mate or anyone else out there :-D.

A quick search here turned up some excellent advice:
_{(from jdMorgan - 2008)}
[webmasterworld.com...]

In /addon_folder/.htaccess:

RewriteEngine on
#Redirect to example.com if request was made to www.addon.example.com or addon.example.com
RewriteCond %{HTTP_HOST} ^(www\.)?addon\.example\.com [NC]
RewriteRule (.*) http://example.com/$1 [R=301,L]

In example.com/.htaccess:

# If [i]direct client request[/i] for www.example.com/addon or example.com/addon, redirect back to addon domain
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /addon/?
RewriteRule ^addon/?(.*)$ http://addon.com/$1 [R=301,L]

Checking THE_REQUEST ensures that /addon was directly requested by the client, and is not the result of the internal rewrite used to map addon.example.com to /addon. If the request was direct, we want to redirect it. If the request was the result of the internal rewrite, we do not want to redirect it, because that would break the addon subdomain.

You really have three choices here, and you should think about what you want to do. If you get a request for example.com/addon/ or addon.example.com, you can:
Redirect to addon.com
Redirect to example.com
Deny access -- Return 403-Forbidden

The code above shows one example for each of the first two choices in the list.

The choices you make will depend on whether or not your addon-domain folders have already been "exposed" to search engines, and how well you test your sites. Obviously, you don't want to return 403-Forbidden unless the folder paths have never been published, and you are sure that you will never link to them accidentally. All-in all, I think I prefer the rule "If an incorrect URL mentions "addon", correct it by redirecting to addon.com".

There is further discussion at the link above, but I added the quote here to save time and to let you see some of the things to keep in mind about returning a 404 (or 403) when handling this kind of problem.

This part: "Obviously, you don't want to return 403-Forbidden unless the folder paths have never been published, and you are sure that you will never link to them accidentally." because if thee current setup has been in place for some time and if the addon domains have any pages indexed you don't want all those URLs to return a 404, the addon domains will be starting over. By redirecting the traffic to its proper domain and URL, the pages that are indexed will gradually be changed to be indexed properly as they are crawled. You will want to be sure to have htaccess set up in the domain folders with canonical rewrites for each of those domains. If they had been there to begin with, the URLs would never have been seen.

Don't worry others will add their own advice here, I'm just one of many and don't always have the ideal answer.

Thanks. I guess I'll have to do rewrites since one addon has some pages indexed. BUT - the webpage that the above text is from is one of many I've had up in a browser window for days! It's just not clear and here's why:

It looks to me that his first example handles subdomain rewrite, and the second example handles subfolder rewrite, OK? BUT as he explains further down, the first example rewrites to example.com and the second to the addon. This is confusing! So I use the two examples above but in the first, replace example.com with the addon? And update both htaccess files?

And another of his posts I no longer have up, mentions the need for an additional rewrite to avoid looping ... may have the term wrong.

I need rewrites that will work, won't cause looping, that will prevent anyone from accessing addon domains via example.com either through the subdomain or subfolder. I'm going broke trying stuff. Am I close? Can you clear this up for me, perhaps? Many thanks.

Referring strictly to your original post:

I want them to receive a 404 from www.example.com. I have ErrorDocument 403 "<center><h1>Access is Forbidden.</h1></center> in my htaccess file.

Why do you want to display 403 text in response to a 404 status? Are you trying to scare away your visitors? Oh, wait, red herring, you're showing the 403 example.

It's true that you can put a variety of content into an ErrorDocument directive, and one option is simply "text to display". And it will come through as formatted HTML if the material in quotation marks includes HTML tags. I hand-checked the missing close quote in case that was a typo. It doesn't throw a 500 error, but it's still not good practice.

But most people make a custom error document and cite it by name. We can come back to that; it's not really relevant to your question.

All of the examples I've found except two show 301 rewrites.

Not sure what you mean by this. Memorize these two expressions, noting the double markedness:
-- external redirect
-- internal rewrite
A 301 is by definition a redirect. I wish you'd explain a little more clearly why you don't want a redirect from the incorrect URL to the correct one, since this is indeed the normal response as well as the most user-friendly.

A 404 response is normally returned by the server when it looks and can't find a file, but it's perfectly possible to return it manually as well. It can be done either in mod_alias (Redirect by that name, though it's not restricted to 300-class responses) or in mod_rewrite (RewriteRule). But here you have to use mod_rewrite because you need a RewriteCond looking at %{HTTP_HOST}. If the wrong forms have already been indexed, you might choose a 410 ([G] flag in mod_rewrite) instead. If nothing else, it will make the googlebot go away a lot faster.

We all know I can get to addon domain three ways, via: 1) www.addon.com 2) addon.example.com 3) (www).example.com/addon.

What does "we all know" mean? I don't know anything of the sort; the varying forms of access depend entirely on the server configuration in conjunction with DNS settings. It may not even be necessary for you to create new rules of your own. Look at the host's control panel-- or contact a human at tech support-- and see if you can wipe out the unwanted options. #2 should be very easy to eliminate, since subdomains are never enabled by default.

As I think you know, the # part is just a comment, it can be left there to let you know what the rule is for and it can be left "as-is" or edited to match your own circumstances. In the rules, wherever "addon" is used you would put in the name of the addon domain but where example.com is used, you put the main domain name in place of example.

The first rule is added to the addon domain folder htaccess file and the second rule is added to the main domain's htaccess file.

What this first rule does is that when a browser requests the example.com/addon pages from the addon domain, it replaces anything in the URL that is not requesting a file from the "addon" domain. What the second rule does is that if a browser requests an URL from example.com that contains /addon/ or .addon that the request is rewritten to eliminate example.com from the request and send it off to the actual addon.com domain with the page request appended at the end.

A loop happens when one rule causes another rule to be invoked and the rules trade it back and forth until the server sends a 500 error. That's the reason it is a good practice to leave the #commented notes so you or someone else doesn't accidentally edit the wrong rule 5 years from now.

The second rule shown for the example.com htaccess will need to be duplicated to handle each addon domain hosted in its account. The first rule will need to be added into each addon domain's htaccess.

If these produce a loop you may have some other rules in place that are causing that. I'm guessing that these aren't the only rules in your htaccess files. That's what makes this request:

And please don't provide code unless you've actually tested it and it works.

kind of impossible - only you can test.

It would be a miracle if someone can give me a solution that actually works.

Oops, missed this. You may have the wrong venue. Over on That Other Forum you can post a question and receive a precise answer-- or, more likely, an irritated post saying that this question was answered in 2006 so why are you asking again? But WebmasterWorld uses the teach-a-man-to-fish approach. That means you start by posting the exact code that you yourself have tried, and then explain exactly what happens. I stress "exact": saying "it doesn't work" does not get us far.

Thanks lucy24 and not2easy.

not2easy: OK, so in the second rule, if the request includes addon subfolder, then the rewrite goes to the canonical (www for mine) addon domain and the user sees the website there. Each addon htaccess gets the code - cool, I get it.

But the first example looks to me like the rewrite, when encountering a "subdomain" request, is going to the main domain, which we're calling example.com ... even the comment says that. Is that what you're saying? I'd think we'd want the request to go to the addon domain like the other. I understand that you need one for each addon in example's htaccess, but I guess my assumption was wrong. If the subdomain is part of the request, we rewrite to example.com. Correct?

I do have htaccess files at example.com and all addon domains. I don't have any conflicts to this point, so don't think I'll have to worry about looping - thanks for the explanation. And I do realize everybody's environment is different, but so many websites just copy and paste the same code and some of it just doesn't work. I do my best to make sure everything is perfect, is satisfies my OCD - ha.


lucy24: me bad - double quote has been fixed! It was recommended that I do that to save bandwidth as no file is sent out. My logs did show that all the 403s were requests for non-existing login or admin files, so I like it. But you're right - that's another topic.

When I restructured my own website 5 years ago, G**gle recommended "Redirect 301" statements, so I seem to think of all of them as redirecting due to that.

On the shared hosts I've encountered in my years (all cPanel), a subdomain IS created by default when an addon is created. The hosts tell you this ... quote from one of the biggest hosts: "Every addon domain is also a subdomain. You may actually load your addon domain using any of the following URLs:..." and they go on to give the 3 examples I gave in my first post. So I was wrong to assume it was common knowledge, but in my experience it's how many shared hosts operate and certainly what many of your readers are familiar with.

Thanks folks! Hope to get this all cleared up soon. Appreciate your time and help.

Yes, that is what I said here "The first rule is added to the addon domain folder htaccess". And yes, it does send the request back to the example.com folder where the htaccess will redirect it properly. Notice that one uses {HTTP_HOST} parameter and one uses {THE_REQUEST} so only requests and not results of rewrites meet the rule. Lucy mentioned the difference above and it is spelled out in the text in the quoted post.

Well, I've copied and pasted this dialog in a notepad file and will try to find tutorials somewhere that actually explain Rewrites, HTTP_HOST, THE_REQUEST, etc. to newbies in plain English. I'm not new to htaccess at all, but I am to Rewrites. And 2 days of reading conflicing answers on websites with scant explanations obviously hasn't helped much. I though I was being considerate NOT showing you all the code I'd tried or considered ... who knew. I'm a little exhausted having spent the last 3 days trying to fend off a brute force attack against one of my clients WP blogs. Anyway, sorry it just isn't as clear to me as it should be apparently ... I still don't understand some of the statements ... I guess I have htaccess Rewrite disability - HRD - lol. Thanks again for your time and assistance. Sid