Web Tool Bag  
Home · Articles · Downloads · Discussion Forum · Web Links · News Categories · Synonyms DatabaseMarch 28 2024 17:25:32
Navigation
Home
Articles
Downloads
Discussion Forum
Web Links
News Categories
Synonyms Database
Search
Users Online
Guests Online: 1
No Members Online

Registered Members: 856
Unactivated Members: 118
Newest Member: lakim
Forum Threads
Newest Threads
Error: Cannot find m...
Uncaught Error: _reg...
Module build failed:...
Installation
mochi script questions
Hottest Threads
Installation [12]
Any questions and... [5]
Captcha picture d... [4]
Integrate with Vi... [4]
Mods: Sucess/Than... [4]
 
Latest Articles
Ubuntu: the vpn conn...
Howto Install HP Pri...
ReactJS progress met...
react-show-more-text
react-collapsible-co...
.htaccess
htaccess is the file extension. It is not file.htaccess or somepage.htaccess, it is simply named .htaccess

In order to create the file, open up a text editor and save an empty page as .htaccess (or type in one character, as some editors will not let you save an empty page). Chances are that your editor will append its default file extension to the name (ex: for Notepad it would call the file .htaccess.txt). You need to remove the .txt (or other) file extension in order to get yourself htaccessing--yes, I know that isn't a word, but it sounds keen, don't it? You can do this by right clicking on the file and renaming it by removing anything that doesn't say .htaccess. You can also rename it via telnet or your ftp program, and you should be familiar enough with one of those so as not to need explaining.

AuthType               basic AuthName               "A name to appear in the passwd box" AuthUserFile           /content/web/users/username/.htpasswd require                valid-user 

Here's what each of these pieces does.

AuthType
This describes how Apache should ask for authentication. Check the Apache docs for more information.
AuthName
This text will appear in the browser's password dialog box.
AuthUserFile


htaccess files must be uploaded as ASCII mode, not BINARY. You may need to CHMOD the htaccess file to 644 or (RW-R--R--). This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security. (For example, if you have password protected directories, if a browser can read the htaccess file, then they can get the location of the authentication file and then reverse engineer the list to get full access to any portion that you previously had protected. There are different ways to prevent this, one being to place all your authentication files above the root directory so that they are not www accessible, and the other is through an htaccess series of commands that prevents itself from being accessed by a browser, more on that later)

Most commands in htaccess are meant to be placed on one line only, so if you use a text editor that uses word-wrap, make sure it is disabled or it might throw in a few characters that annoy Apache to no end, although Apache is typically very forgiving of malformed content in an htaccess file.

htaccess is an Apache thing, not an NT thing. There are similar capabilities for NT servers, though in my professional experience and personal opinion, NT's ability in these areas is severely handicapped. But that's not what we're here for.

htaccess files affect the directory they are placed in and all sub-directories, that is an htaccess file located in your root directory (yoursite.com) would affect yoursite.com/content, yoursite.com/content/contents, etc. It is important to note that this can be prevented (if, for example, you did not want certain htaccess commands to affect a specific directory) by placing a new htaccess file within the directory you don't want affected with certain changes, and removing the specific command(s) from the new htaccess file that you do not want affecting this directory. In short, the nearest htaccess file to the current directory is treated as the htaccess file. If the nearest htaccess file is your global htaccess located in your root, then it affects every single directory in your entire site.

Before you go off and plant htaccess everywhere, read through this and make sure you don't do anything redundant, since it is possible to cause an infinite loop of redirects or errors if you place something weird in the htaccess.

Also...some sites do not allow use of htaccess files, since depending on what they are doing, they can slow down a server overloaded with domains if they are all using htaccess files. I can't stress this enough: You need to make sure you are allowed to use htaccess before you actually use it. Some things that htaccess can do can compromise a server configuration that has been specifically setup by the admin, so don't get in trouble.

Username/Password Protection

This schema will prompt web users to enter a CASE SENSITIVE username/password pair before serving any content within the directory containing the .htaccess file.  In the simplest of cases there are two files involved, the .htaccess file, and the password file.

The password file is a text file containing a username and an encrypted password, seperated by a colon.  You can use one password file for many .htaccess files.  The entries can be generated here.

The .htaccess file would be placed in the directory that needs password protection, and would look something like this:

AuthUserFile /usr/home/lee/htpasswd- FULL path to the password file.  This file doesn't have to be in your public_html.
AuthName "Lee's Secret Area"- This description will appear in the login screen. Multiple words require quotes.
AuthType Basic - Just a line that is required.
<Limit GET POST>- Start of the limit tag.  This will set limits on GET's and POST's.
require valid-user- Sets area restrictions such that the user must have a valid login.
</Limit>- End of the limit tag.

If you are using one password file for multiple .htaccess files, and would like certain users to have access to some areas, but not others, you may want to try one of the following:

a) specify the users by using require user userid:

<Limit GET POST>
require user cisco
require user bob
require user tim
</Limit>

b) setup a group file. This requires you to specify AuthGroupFile.   You can now require group whatever.

.htaccess example

AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
require group managers
</Limit>

AuthGroupFile example:

managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja


Restricting by IP Address

This only requires the .htaccess file.  There are two approaches to restricting by IP address:

a) deny everyone access, then allow certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net
</Limit>

b) allow everyone except for certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from .microsoft.com
deny from .evil-hackers.org
deny from 24.112.106.235
deny from morphine.wiretap.net
</Limit>


More Examples

Try crunching the above together into one:

a) only managers can view this page from a .golden.net IP address:

htaccess:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>

AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja

b) managers can view this page from anywhere, everyone else must be from a golden.net IP address:

htaccess:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
Satisfy Any                       
Default is Satisfy ALL
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>

AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja


Posted by admin on August 31 2007 15:18:48 7156 Reads · Print
Ratings
Rating is available to Members only.

Please login or register to vote.

No Ratings have been Posted.
Login
Username

Password



Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.
Member Poll
Which PHP framework do you preffer?

Symfony

Zend

CodeIgniter

PHP on TRAX

eZ Components

Fusebox

PhpOpenbiz

Prado

QPHP

Seagull

You must login to vote.
Shoutbox
You must login to post a message.

Vince
03/10/2011 18:17
Hi, How to remove Register from Login screen? I don't want them to register and have full access! if you leave register then they should not have any rights until the admin assigns them

webtoolz
26/09/2011 08:28
Please describe your problem with more details. Thank you.

bimmer98
22/11/2010 18:31
Help. There was a problem with the request; error regarding feedbackzdr form program

Custom web software development by Devzone Tech
Copyright © 2024 - www.webtoolbag.com