Things you can do with .htaccess files

Many of the rules that control access to web content can be amended or extended by using ".htaccess" files. Within user web pages, the limits on what can be done are less restrictive than within departmental web directories.

To use this facility, simply create a file called ".htaccess", within the web content directory that you wish to control. This file must have permissions 0644, but can never be displayed by the web server. However, since the directory path containing it must be at least world-executable, it can be examined by any user logged in to Unix. They may not be able to search for it, but if they suspect the file is there, they can certainly read it.

There was a previous example of using a ".htaccess" file to allow a web surfer to see a directory listing of a portion of your web site. The example required a ".htaccess" file that contained the phrase "Options Indexes". This allows the web server to show a directory listing if the specified web directory does NOT contain an "index.html" file. If there is an "index.html", then any "Options Indexes" clause in a

".htaccess" file will be ignored. This applies even if the permissions of "index.html" do not allow it to be displayed.

Note that the effect of ".htaccess" files is cumulative. They not only apply to the directory containing them, but also to all subordinate directories. If an entire hierarchy of directories contains ".htaccess" files, then the effect is usually to apply the most restrictive of the rules encountered.

".htaccess" files can also be used to restrict access to certain IP address or Internet Domain Names. The department uses the latter rules to restrict access to portions of the site that are classified as "local-only". This is done with an access file that contains:

Order Deny,Allow
Deny From All
Allow From 142.3

The "Order" clause usually contains one of two options. You can specify either deny,allow or allow,deny. These options are written as a single phrase, with no intervening white space.

With a Deny,Allow option the rule reads as: "Deny access to everyone except web clients whose IP Address starts with 142.3". The University of Regina's IP Addresses are all in the 142.3 block, so access is only allowed to on-campus users. i.e. "local-only".

Another common use for ".htaccess" files is to require that a user id and password be provided to access some part of a web site. Setting this up is a two part process. First of all, you must use the "htpasswd" command to create a user id and password file. For details about how to use this command see "man htpasswd". The password file that you create should not be anywhere within your "public_html" directory tree. Typically the file is created in the root of your home directory. Once the password file exists, create an ".htaccess" file that contains:

AuthUserFile /home/hercules/u/username/Name_of_Your_Password_File
AuthGroupFile /dev/null
AuthName "My Friends Only!"
AuthType Basic

Require Valid-User

Note that the name of your password file must include the full name of the path to your home directory. The "AuthName" clause is used to provide a string that will be displayed in the password prompt pop-up window.

Note: As previously mentioned, this ".htaccess" file only restricts web surfers. Anyone who can log in to Unix can still see the files in the protected directory, as long as they know the name of the file. Since the actual file name is revealed in the URL, it isn't hard to figure out! This means that this technique alone is not particularly useful for such things as limiting access to solutions to assignments. However, if the directory being protected contained a web form that ran a script, then the script can display files that are not world-readable. This could be done with a variant of the PHP example shown in the PHP section.

Not only can these various options be used independently, they can all be combined into a single ".htaccess" file. For a thoroughly nonsensical example, we want to allow anyone in the world, except people in the CS Department or Microsoft, to look at a directory listing, as long as they know the secret password!

Options Indexes

AuthUserFile /home/hercules/u/username/Name_of_Your_Password_File
AuthGroupFile /dev/null
AuthName "No Computer Geeks!"
AuthType Basic

Satisfy All

Order Allow,Deny
Allow From All
Deny From,

Require Valid-User 

There are many more rules that can be locally applied via an ".htaccess" file. For details, read the Apache Manual and look for Directives that are applicable to "htaccess".