Debianhelp.co.uk

 

Configuring HTAccess file in Debian

Web-based user authentication using HTAccess. Web-based authentication denies web access to visitors who do not give a valid username and password. This feature allows webmasters to restrict access to certain directories.

The following is an example use of the .htaccess file. Let's assume that it resides at /home/www/test/public_html/private/.htaccess

AuthUserFile
/home/www/test/public_html/private/.htpasswd
AuthGroupFile /dev/null
AuthName "test Secret Section"
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>


The
.htaccess file affects the directory in which it is placed, so in this example, any visitor requesting <URL:http://www.test.com/private/> would be presented with an authentication request.

The
.htaccess file also affects directories recursively below it. Therefore, requesting <URL:http://
www.test.com/private/evenmore/> would yield the same authentication request unless test/private/evenmore had a .htaccess file of its own.

The first line, starting with
AuthUserFile, tells the webserver where to find your username/password file. We'll create that file in a minute. For now, change the AuthUserFile line as necessary for your use.

Notice that the
AuthName in the example, "test Secret Section," is used in the authentication request.

Using your favorite text editor, create a file similar to the example, replacing
AuthUserFile and AuthName with values for your situation. Be sure to name the file .htaccess.

Now that we understand the basic .htaccess model, how can we specify who is allowed? We'll create an .htpasswd file named in the AuthUserFile line above.

To create an
.htpasswd file, go to the directory you specified in AuthUserFile. In the example, this is /home/www/test/public_html/private/. Then use the htpasswd program with the -c switch to create your .htpasswd in the current directory. (You have to do this in ssh)

Type
htpasswd -c .htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again. You will not see the password when entering it here:

debian% htpasswd -c .mypasswds tacodog
Adding password for user paul
New password: type password
Re-type new password: re-type password


To add more users in the future, use the same command without the
-c switch: htpasswd .htpasswd bob will add username "bob" to your .htpasswd file.

To delete users, open the
.htpasswd file in a text editor and delete the appropriate lines:

username:v3l0KWx6v8mQM

bob:x4DtaLTqsElC2

Configuring HTAccess

Any COE user may setup a .htaccess file in their 'public_html/' directory and/or in any subdirectory created within that 'server root' directory. The main reasons a user would want to set the .htaccess file up are:

Block access to certain files, except to certain domains (or competely).
Add an experimental or special mime-type
Password protect a private directory

The .htaccess file is basically a on-the-fly addition to our server configuration. It allows you to change some aspects of how the server operates on your files and directories. Note that some things have been blocked in order to keep security as high as possible. The .htaccess file is placed in the directory that it operates on. It changes the permissions/settings for the directory it is in and all sub-directories contained therein. You may put an .htaccess file in a subdirectory of a directory controlled by another .htaccess file and it will happily work. The .htaccess file in the parent directory's settings remain in effect unless overridden in the sub-directory's .htaccess file. This is confusing just to describe so it probably shouldn't be done until you are an expert.

DIRECTIVES YOU CAN ADD TO THE .htaccess FILE


Allow
Deny
Order
Require
AddType
AuthUserFile
AuthGroupFile
AuthType
AuthName
DefaultType
ErrorDocument
ForceType
Options
Satisfy
<Files> </Files>

That seems like a lot but they are really very simple. Further discussion of each follows the examples:

EXAMPLES

NOTE: Users of these directives for domains should remember that DNS lookups must be enabled (on your server) for it to translate 'baddomain.com' to an IP. If DNS lookups aren't on, then use the IP's. ( Ex. 133.123.4. will block every IP starting with the address 133.123.4. )

Example 1. Deny a Domain Access to a Directory.

.htaccess contains:

Order Deny,Allow
Deny from .thisbaddomain.com

Note that the Order directive makes sure that 'Deny's override Allows and not the other way.
Also, 'Allow from all' is the assumed default from our master configuration.

Example 2. Deny a Set of Files to a Domain.

.htaccess contains:

<Files *.gif>
Order Deny, Allow
Deny from .thoseevilpeople.net
</Files>

In this case only .gif files would be 'Deny'ed to anyone from .thoseevilpeople.net and only people from them. Since many people have more than one account (office/home) this is rarely used like this. It is more often used in 'Allow'ing ONLY one domain, like in the next example.

Also, the style of the Container Directives (<File> or <Limit>) is like HTML

Example 3. Allow Only One Domain and One

.htaccess contains:

<Files barney*>
Order Allow, Deny
Deny from all
Allow from .test1.com
Allow from .it
</Files>

Note this example allows only people from 'test1.com's corporate office and people in Italy (.it) to view the files that begin with the letters 'barney'. This includes all sub-directories that contain files beginning with those letters and ALL the files in any directories that happen to begin with 'barney'.
Also, notice that we made 'Allow's come before 'Deny's in the 'Order' so that the all DOESN'T mean ALL.

Example 4. Add a Special Mime-Type to a Directory.

.htaccess contains:

AddType image/x-photoshop PSD

This causes the server to announce *.psd files as Content-Type: image/x-photoshop when sending it to the browser. Hopefully the browser knows that image/x-photoshop means run PhotoShop and give it this file. Normally this is used with a new or being tested Plug-In that doesn't have an entry in our master file yet. If you need this on a permanent basis or think it might be useful to others please send us mail about it so we can add it in for everyone.
Also, this will override current setting which makes 'AddType audio/x-dumbexample JPG' valid! You can change what jpg means in your directories.

Example 5.; Force All Files in a Directory to a Specific Mime-Type.

.htaccess contains:

ForceType image/jpg

The causes ALL files in the directory to be treated as JPEG files. No matter their extension.
Note, can NOT be use in a <Files> </Files> tag!

Example 6. Password Protect a Directory - Simple Form.

.htaccess contains:

AuthName Secret Directory Access
AuthType Basic
Require valid-user
AuthUserFile /home/yourusername/mypasswords/.nameoffile

.nameoffile contains:

user1:asdfasdfasdf2
user2:ergvdsdfef34f


'AuthName' causes the browser to display something like, "Enter username for Secret Directory Access at www.thedomain.com:" 'AuthType Basic' tells it to use the 'AuthUserFile' for authentication. (no other types are currently available.) 'Require valid-user' says to only allow a valid-user, you can also use 'Allow' and 'Deny' to stop certain domains.

The .nameoffile contains simple text usernames followed by a ':' and then encrypted password for that user.

Note that the file '.nameoffile' has a period in front of it and is NOT in the www directories. Putting your password file where it could be downloaded would be a VERY bad idea. It is possible to crack simple passwords (one word or name in all upper or lower case is crackable in seconds!) so it is recommended that you use good sense and pick tough passwords that contain a number, symbol, and letter combination. The dot in front of the file simply hides the file from view during normal file listing on unix systems.

It isn't real security but it does mark the file as special when YOU list it. The permissions on the file should be 644. This means that it can be read/write for you and world readable (webserver). Those people who have a full webserver running under their own userid (ask about this since it only occurs when requested and only on some account types), may set the permissions to 600 and disallow anyone else on the system from reading the files as well.

If you want htaccess file web interface or GUI tools click here



 

 

 

 

 

 

 

 

 

 

2