Using htaccess

Tags how-to Web

What are .htaccess files, and how do I use them?

.htaccess files give users flexibility in their website. When allowed by the web server, they allow users to change the default web server configuration in the directory the file is placed and in any subdirectory below it. The Apache .htaccess documentation is a complete list of options that can be used in an .htaccess file.

Website Authentication

One of the most common uses of the .htaccess file is to limit access to the pages in question. There are three ways to do this:

  • By IP address
  • By non-uniqname and password
  • Via mod_cosign (using university uniqname/ friend account and Kerberos combination)

Filtering access by IP address

The cool thing about filtering by network address is that you can filter on hostname or by IP address. For example, the following block of text placed in your .htaccess file will allow all access from inside the University of Michigan (including Dearborn and Flint):

order deny,allow
deny from all
allow from 141.211.
allow from 141.212.
allow from 141.213.

You could replace the IP addresses with hostnames. For example .umich.edu would also allow all machines inside the University to view the directory.

Filtering Access via Username and Password (not mod_cosign)

 Note
This method should only be used if you really don't have any other alternatives.

Please contact the webmaster to make sure you don't have any other options before taking this route. Do not use this method to secure sensitive data, such as grades or embargoed data.

If you want to use a username and password, you need both a .htaccess file and a .htpasswd (password) file. The .htaccess file contains the directives that point to the .htpasswd file, which contains the username and the password to grant access.

In this case, the .htaccess file will have the following directives:

AuthName "NAME FOR THIS PROTECTED SECTION"
AuthType Basic
AuthUserFile /path/to/htpasswd/file/.htpasswd
Require valid-user

The AuthUserFile should be placed someplace where the webserver can't serve it out (i.e., in your network home directory but not in the public_html folder), but be readable by the web server.

The password file needs to be encrypted, so to create the file there are two methods. The first is to use a website that does the encryption for you and then copy the resulting lines into the .htpasswd file. The alternative is to use the command htpasswd on your local machine to create the passwords.

Indexing with .htaccess

The default behavior for the many webservers is to not allow the indexes of directories to be displayed when there is no index.php, index.htm or index.html file present in the directory. You can change this behavior in a directory by adding a file called .htaccess to the specific directory. This file can have many other options, but the specific option for turning on indexing is:

Options +Indexes

The file .htaccess must be world readable for the option to be enabled. The files to be shared must be also world readable.

Redirecting with .htaccess

You can also use an .htaccess file to redirect users to another page. See Redirecting with htaccess for the details.

Details

Article ID: 1687
Created
Wed 5/27/20 9:58 AM
Modified
Tue 11/15/22 8:21 AM