.htaccess
Posted by admin on August 31 2007 15:18:48
htaccess is the file extension. It is not file.htaccess or somepage.htaccess, it is simply named .htaccess

In order to create the file, open up a text editor and save an empty page as .htaccess (or type in one character, as some editors will not let you save an empty page). Chances are that your editor will append its default file extension to the name (ex: for Notepad it would call the file .htaccess.txt). You need to remove the .txt (or other) file extension in order to get yourself htaccessing--yes, I know that isn't a word, but it sounds keen, don't it? You can do this by right clicking on the file and renaming it by removing anything that doesn't say .htaccess. You can also rename it via telnet or your ftp program, and you should be familiar enough with one of those so as not to need explaining.

AuthType               basic AuthName               "A name to appear in the passwd box" AuthUserFile           /content/web/users/username/.htpasswd require                valid-user 

Here's what each of these pieces does.

AuthType
This describes how Apache should ask for authentication. Check the Apache docs for more information.
AuthName
This text will appear in the browser's password dialog box.
AuthUserFile


htaccess files must be uploaded as ASCII mode, not BINARY. You may need to CHMOD the htaccess file to 644 or (RW-R--R--). This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security. (For example, if you have password protected directories, if a browser can read the htaccess file, then they can get the location of the authentication file and then reverse engineer the list to get full access to any portion that you previously had protected. There are different ways to prevent this, one being to place all your authentication files above the root directory so that they are not www accessible, and the other is through an htaccess series of commands that prevents itself from being accessed by a browser, more on that later)

Most commands in htaccess are meant to be placed on one line only, so if you use a text editor that uses word-wrap, make sure it is disabled or it might throw in a few characters that annoy Apache to no end, although Apache is typically very forgiving of malformed content in an htaccess file.

htaccess is an Apache thing, not an NT thing. There are similar capabilities for NT servers, though in my professional experience and personal opinion, NT's ability in these areas is severely handicapped. But that's not what we're here for.

htaccess files affect the directory they are placed in and all sub-directories, that is an htaccess file located in your root directory (yoursite.com) would affect yoursite.com/content, yoursite.com/content/contents, etc. It is important to note that this can be prevented (if, for example, you did not want certain htaccess commands to affect a specific directory) by placing a new htaccess file within the directory you don't want affected with certain changes, and removing the specific command(s) from the new htaccess file that you do not want affecting this directory. In short, the nearest htaccess file to the current directory is treated as the htaccess file. If the nearest htaccess file is your global htaccess located in your root, then it affects every single directory in your entire site.

Before you go off and plant htaccess everywhere, read through this and make sure you don't do anything redundant, since it is possible to cause an infinite loop of redirects or errors if you place something weird in the htaccess.

Also...some sites do not allow use of htaccess files, since depending on what they are doing, they can slow down a server overloaded with domains if they are all using htaccess files. I can't stress this enough: You need to make sure you are allowed to use htaccess before you actually use it. Some things that htaccess can do can compromise a server configuration that has been specifically setup by the admin, so don't get in trouble.

Username/Password Protection

This schema will prompt web users to enter a CASE SENSITIVE username/password pair before serving any content within the directory containing the .htaccess file.  In the simplest of cases there are two files involved, the .htaccess file, and the password file.

The password file is a text file containing a username and an encrypted password, seperated by a colon.  You can use one password file for many .htaccess files.  The entries can be generated here.

The .htaccess file would be placed in the directory that needs password protection, and would look something like this:

AuthUserFile /usr/home/lee/htpasswd- FULL path to the password file.  This file doesn't have to be in your public_html.
AuthName "Lee's Secret Area"- This description will appear in the login screen. Multiple words require quotes.
AuthType Basic - Just a line that is required.
<Limit GET POST>- Start of the limit tag.  This will set limits on GET's and POST's.
require valid-user- Sets area restrictions such that the user must have a valid login.
</Limit>- End of the limit tag.

If you are using one password file for multiple .htaccess files, and would like certain users to have access to some areas, but not others, you may want to try one of the following:

a) specify the users by using require user userid:

<Limit GET POST>
require user cisco
require user bob
require user tim
</Limit>

b) setup a group file. This requires you to specify AuthGroupFile.   You can now require group whatever.

.htaccess example

AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
require group managers
</Limit>

AuthGroupFile example:

managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja


Restricting by IP Address

This only requires the .htaccess file.  There are two approaches to restricting by IP address:

a) deny everyone access, then allow certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net
</Limit>

b) allow everyone except for certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from .microsoft.com
deny from .evil-hackers.org
deny from 24.112.106.235
deny from morphine.wiretap.net
</Limit>


More Examples

Try crunching the above together into one:

a) only managers can view this page from a .golden.net IP address:

htaccess:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>

AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja

b) managers can view this page from anywhere, everyone else must be from a golden.net IP address:

htaccess:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
Satisfy Any                       
Default is Satisfy ALL
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>

AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja