.htaccess Magic

By J.M. Ivler (Send Email)
Posted Oct 15, 1999

The .htaccess file provides the ability for information protection on the HTTP server. It can also provide you with a bit more control. The .htaccess file provides the ability for information protection on the HTTP server.

Most Web servers hav e configuration controls and commands that permit fine granularity of access control to pages and data that reside on the server. Th is can generally be done from either the system-wide configuration files or from the .htaccess files. The .htaccess files have the s ame directory limitation capabilities that are available from the configuration files, but are set up in a way that permits direct a ccess to configuration by the person maintaining the directory, and doesn''t require server restart to upgrade or modify the securit y of the directory. Experts in the engineering profession refer to this type of file as empowering, since control for security of th e data within the sphere of control for that directory belongs to the person who accepts responsibility for that directory.


The .htaccess file provides the ability for information protection on the HTTP server. That means that access control via the HTTP protocols are controlled on all the page information and data within a directory. This protection is generally done by a user name and a password schema. What does that mean for you? It means that you can provide limited access to the pages under a di rectory structure by allowing only certain people and certain action within the directory structure. This requires the use of two fi les. The first is the .htaccess file that lives in the directory where the access will be granted or limited. The second is the .htp asswd file which can live in any location within the server. The full Unix pathname is required to define the file and its location. Here is an example of the contents of an .htaccess file.

AuthUserFile /secdir/.htpasswd
AuthGroupFile /dev/null
Auth Name ByPassword
AuthType Basic

require user zippy

As you can see, the file has some interesting capabilities. Using this file, we can allow or disallow access from domains, from individual groups of users, or from an individual user. Let''s take a closer look at how we would accomplish each of these. Allowing and Disallowing Domains In this case, we have no need for the password and the group files. In addition, we will be using the basic method. So our .htaccess file would s tart with:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AllowLocalAccess
AuthType Basic

Not e that we have set the password and the group files to /dev/null. This has been done to ensure that there is no chance of picking up some stray or unnecessary file.

order deny,allow
deny from all
allow from .localdomain.com

Here we have effectively limited access to the directory by stating that the user can only do GETs and POSTs if we permit that from their domain. The first thing we do is deny everyone access to GET and POST; this is the default state. We use t he keyword all to make the default cover anyone we don''t wish to have access. Then, we use the allow directive for domains to which we want to allow access. Note that we prefix the domain with a period character. That means that any subdomain within that domain c an access the directory. The allow and deny directives are permitted to have multiple hosts on the allow and deny lines. The followi ng line in the file above would have allowed people from .localdomain.com and .otherlocal.com to access the private directory.

< I>allow from .localdomain.com .otherlocal.com

You can further enhance the limitations by using the require directive, as in these examples:

require user ivler
require group authors
require valid-user husain

The require user direc tive states that, even if a person is permitted by the allow directive, their user name still must be in the permitted users file (. htpasswd). The require user form of the directive means that the person''s user name must be in the group file if the keyword is gro up. And, if the keyword is valid-user, the user must enter their name and password to validate that they are permitted into the dire ctory. By default, the user must satisfy all the given directives. The file can also contain the directive satisfy. The satisfy dire ctive is used to allow any (a keyword) require directive to be satisfied, and then all directives will be satisfied. Again, the defa ult is the keyword all, so it is not required. This is used to open the security up a tad, rather than keeping it tightly closed.

Allowing and Disallowing Users

, an internet.com Web site.

Page 1 of 4

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date