Using htaccess

Tags how-to Web

What are .htaccess files, and how do I use them?

.htaccess files give users flexibility in their website. When allowed by the web server, they allow users to change the default web server configuration in the directory the file is placed and in any subdirectory below it. The Apache .htaccess documentation is a complete list of options that can be used in an .htaccess file.

Website Authentication

One of the most common uses of the .htaccess file is to limit access to the pages in question. There are three ways to do this:

  • By IP address
  • By non-uniqname and password
  • Via mod_cosign (using university uniqname/ friend account and Kerberos combination)

Filtering access by IP address

The cool thing about filtering by network address is that you can filter on hostname or by IP address. For example, the following block of text placed in your .htaccess file will allow all access from inside the University of Michigan (including Dearborn and Flint):

order deny,allow
deny from all
allow from 141.211.
allow from 141.212.
allow from 141.213.

You could replace the IP addresses with hostnames. For example .umich.edu would also allow all machines inside the University to view the directory.

Filtering Access via Username and Password (not mod_cosign)

 Note
This method should only be used if you really don't have any other alternatives.

Please contact the webmaster to make sure you don't have any other options before taking this route. Do not use this method to secure sensitive data, such as grades or embargoed data.

If you want to use a username and password, you need both a .htaccess file and a .htpasswd (password) file. The .htaccess file contains the directives that point to the .htpasswd file, which contains the username and the password to grant access.

In this case, the .htaccess file will have the following directives:

AuthName "NAME FOR THIS PROTECTED SECTION"
AuthType Basic
AuthUserFile /path/to/htpasswd/file/.htpasswd
Require valid-user

The AuthUserFile should be placed someplace where the webserver can't serve it out (i.e., in your network home directory but not in the public_html folder), but be readable by the web server.

The password file needs to be encrypted, so to create the file there are two methods. The first is to use a website that does the encryption for you and then copy the resulting lines into the .htpasswd file. The alternative is to use the command htpasswd on your local machine to create the passwords.

Filtering Access with mod_cosign

First, you must have SSL turned on for any pages you want to put behind cosign. The simplest way to do that is to have SSLRequireSSL at the top of your htaccess file.

 Note
URLs for SSL pages MUST start with https://. Trying to access an SSL- or Cosign-protected page from http:// will generate an error, and the server produces a rather uninformative error page. If you are having trouble the first thing to check is that the URL starts with "https://."

Turning Cosign On

To use Cosign add the following to the .htaccess file:

<IfModule mod_cosign.c>
  CosignProtected On
  AuthType Cosign
</IfModule>

This simply turns Cosign on. At this point, anyone with a uniqname or friend account can access your page. To limit the users who can see it, you'll need to add a few more restrictions. Adding a few more lines to your .htaccess file is the easiest way, or you can use php if you want finer control over what the user sees.

Restricting access via MCommunity

The simplest way to further restrict who can access your page is to use an MCommunity group (the online directory, accessible at http://mcommunity.umich.edu).

To use an MCommunity group, add the following above the </IfModule> line in the Cosign block above:

AuthLDAPURL ldap://ldap.umich.edu/dc=umich,dc=edu?uid??(uid=*) NONE
AuthzLDAPAuthoritative on

Now you're ready to add the lines that will actually tell the server who is allowed to see the page. You'll need a separate Require line for each LDAP user or group. For example, the following grant access to anyone who's a member of either the astrofac or astrovotefac groups:

Require ldap-group cn=astrofac,ou=User Groups,ou=Groups,dc=umich,dc=edu
Require ldap-group cn=astrovotefac,ou=User Groups,ou=Groups,dc=umich,dc=edu

Individual users need a different Require statement. For uniqnames, it simply looks like:

Require ldap-user uniqname1 uniqname2 ...

You can put several user names on the same line, but for readability you may want to limit the number per line to something easy to follow.

Friend Accounts

As of August 2013, friend accounts must be added separately, even if they are in an UMOD group.

To add a friend, add:

 Require user name1 name2 ...

to your .htaccess file. You can put several user names on the same line, but for readability you may want to limit the number per line to something easy to follow.

Example file

An .htaccess file that only allows Astronomy GSIs to see a page looks like:

SSLRequireSSL
<IfModule mod_cosign.c>
  CosignProtected On
  AuthType Cosign
  AuthLDAPURL ldap://ldap.umich.edu/dc=umich,dc=edu?uid??(uid=*) NONE
  AuthzLDAPAuthoritative on
  Require ldap-group cn=astro-gsi,ou=User Groups,ou=Groups,dc=umich,dc=edu
</IfModule>

Unauthorized Users with Valid uniqnames or Friend Accounts

If someone has a valid user account, but they aren't allowed to access the page, they will get an error that looks like this:

This server could not verify that you are authorized to access the URL "/~johnsmith/test". You either supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
In case you are allowed to request the document, please check your user-id and password and try again.
If you think this is a server error, please contact the webmaster.
Error 401

This means they successfully got past Cosign, but were prohibited from accessing the the page.

Indexing with .htaccess

The default behavior for the many webservers is to not allow the indexes of directories to be displayed when there is no index.php, index.htm or index.html file present in the directory. You can change this behavior in a directory by adding a file called .htaccess to the specific directory. This file can have many other options, but the specific option for turning on indexing is:

Options +Indexes

The file .htaccess must be world readable for the option to be enabled. The files to be shared must be also world readable.

Redirecting with .htaccess

You can also use an .htaccess file to redirect users to another page. See Redirecting with htaccess for the details.

Details

Article ID: 1687
Created
Wed 5/27/20 9:58 AM
Modified
Wed 9/9/20 7:44 AM