Configuring HTAccess file in Debian
Web-based user authentication using HTAccess. Web-based
authentication denies web access to visitors who do not give a
valid username and password. This feature allows webmasters to
restrict access to certain directories.
The following is an example use of the .htaccess file. Let's
assume that it resides at /home/www/test/public_html/private/.htaccess
AuthUserFile
/home/www/test/public_html/private/.htpasswd
AuthGroupFile /dev/null
AuthName "test Secret Section"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
The
.htaccess
file affects the directory in which it is placed, so in this
example, any visitor requesting
<URL:http://www.test.com/private/>
would be presented with an authentication request.
The
.htaccess
file also affects directories recursively below it. Therefore,
requesting
<URL:http://www.test.com/private/evenmore/>
would yield the same authentication request unless
test/private/evenmore
had a .htaccess file of its own.
The first line, starting with
AuthUserFile,
tells the webserver where to find your username/password file.
We'll create that file in a minute. For now, change the
AuthUserFile
line as necessary for your use.
Notice that the
AuthName
in the example, "test Secret Section," is used in the
authentication request.
Using your favorite text editor, create a file similar to the
example, replacing
AuthUserFile
and
AuthName
with values for your situation. Be sure to name the file .htaccess.
Now that we understand the basic .htaccess model, how can we
specify who is allowed? We'll create an .htpasswd file named in
the AuthUserFile line above.
To create an
.htpasswd
file, go to the directory you specified in
AuthUserFile.
In the example, this is /home/www/test/public_html/private/.
Then use the
htpasswd
program with the -c switch to create your .htpasswd
in the current directory. (You have to do this in ssh)
Type
htpasswd -c .htpasswd
username
to create the file and add "username" as the first user. The
program will prompt you for a password, then verify by asking
again. You will not see the password when entering it here:
debian% htpasswd
-c .mypasswds tacodog
Adding password for user paul
New password: type password
Re-type new password: re-type password
To add more users in the future, use the same command without
the
-c
switch:
htpasswd .htpasswd
bob
will add username "bob" to your
.htpasswd
file.
To delete users, open the
.htpasswd
file in a text editor and delete the appropriate lines:
username:v3l0KWx6v8mQM
bob:x4DtaLTqsElC2
Configuring HTAccess
Any COE user may setup a .htaccess file in their 'public_html/'
directory and/or in any subdirectory created within that 'server
root' directory. The main reasons a user would want to set the .htaccess
file up are:
Block access to
certain files, except to certain domains (or competely).
Add an experimental or special mime-type
Password protect a private directory
The .htaccess file is basically a on-the-fly addition to our
server configuration. It allows you to change some aspects of
how the server operates on your files and directories. Note that
some things have been blocked in order to keep security as high
as possible. The .htaccess file is placed in the directory that
it operates on. It changes the permissions/settings for the
directory it is in and all sub-directories contained therein.
You may put an .htaccess file in a subdirectory of a directory
controlled by another .htaccess file and it will happily work.
The .htaccess file in the parent directory's settings remain in
effect unless overridden in the sub-directory's .htaccess file.
This is confusing just to describe so it probably shouldn't be
done until you are an expert.
DIRECTIVES YOU CAN ADD TO THE .htaccess
FILE
Allow
Deny
Order
Require
AddType
AuthUserFile
AuthGroupFile
AuthType
AuthName
DefaultType
ErrorDocument
ForceType
Options
Satisfy
<Files> </Files>
That seems like a lot but they are really very simple. Further
discussion of each follows the examples:
EXAMPLES
NOTE: Users of these directives for domains should remember that
DNS lookups must be enabled (on your server) for it to translate
'baddomain.com' to an IP. If DNS lookups aren't on, then use the
IP's. ( Ex. 133.123.4. will block every IP starting with the
address 133.123.4. )
Example 1. Deny
a Domain Access to a Directory.
.htaccess contains:
Order Deny,Allow
Deny from .thisbaddomain.com
Note that the Order directive makes sure that 'Deny's
override Allows and not the other way.
Also, 'Allow from all' is the assumed default from our master
configuration.
Example 2. Deny
a Set of Files to a Domain.
.htaccess contains:
<Files *.gif>
Order Deny, Allow
Deny from .thoseevilpeople.net
</Files>
In this case only .gif files would be 'Deny'ed to
anyone from .thoseevilpeople.net and only people from them.
Since many people have more than one account (office/home) this
is rarely used like this. It is more often used in 'Allow'ing
ONLY one domain, like in the next example.
Also, the style of the Container Directives (<File> or <Limit>)
is like HTML
Example 3. Allow
Only One Domain and One
.htaccess contains:
<Files barney*>
Order Allow, Deny
Deny from all
Allow from .test1.com
Allow from .it
</Files>
Note this example allows only people from 'test1.com's corporate
office and people in Italy (.it) to view the files that begin
with the letters 'barney'. This includes all sub-directories
that contain files beginning with those letters and ALL the
files in any directories that happen to begin with 'barney'.
Also, notice that we made 'Allow's come before 'Deny's in the
'Order' so that the all DOESN'T mean ALL.
Example 4. Add a
Special Mime-Type to a Directory.
.htaccess contains:
AddType image/x-photoshop PSD
This causes the server to announce *.psd files as Content-Type:
image/x-photoshop when sending it to the browser. Hopefully the
browser knows that image/x-photoshop means run PhotoShop and
give it this file. Normally this is used with a new or being
tested Plug-In that doesn't have an entry in our master file
yet. If you need this on a permanent basis or think it might be
useful to others please send us mail about it so we can add it
in for everyone.
Also, this will override current setting which makes 'AddType
audio/x-dumbexample JPG' valid! You can change what jpg means in
your directories.
Example 5.;
Force All Files in a Directory to a Specific Mime-Type.
.htaccess contains:
ForceType image/jpg
The causes ALL files in the directory to be
treated as JPEG files. No matter their extension.
Note, can NOT be use in a <Files> </Files> tag!
Example 6. Password Protect a Directory - Simple
Form.
.htaccess contains:
AuthName Secret Directory Access
AuthType Basic
Require valid-user
AuthUserFile /home/yourusername/mypasswords/.nameoffile
.nameoffile contains:
user1:asdfasdfasdf2
user2:ergvdsdfef34f
'AuthName' causes the browser to display something like, "Enter
username for Secret Directory Access at www.thedomain.com:" 'AuthType
Basic' tells it to use the 'AuthUserFile' for authentication.
(no other types are currently available.) 'Require valid-user'
says to only allow a valid-user, you can also use 'Allow' and
'Deny' to stop certain domains.
The .nameoffile contains simple text usernames followed by a ':'
and then encrypted password for that user.
Note that the file '.nameoffile' has a period in front of it and
is NOT in the www directories. Putting your password file where
it could be downloaded would be a VERY bad idea. It is possible
to crack simple passwords (one word or name in all upper or
lower case is crackable in seconds!) so it is recommended that
you use good sense and pick tough passwords that contain a
number, symbol, and letter combination. The dot in front of the
file simply hides the file from view during normal file listing
on unix systems.
It isn't real security but it does mark the file as special when
YOU list it. The permissions on the file should be 644. This
means that it can be read/write for you and world readable (webserver).
Those people who have a full webserver running under their own
userid (ask about this since it only occurs when requested and
only on some account types), may set the permissions to 600 and
disallow anyone else on the system from reading the files as
well.
If you want
htaccess file web interface or GUI tools click
here
2
