Using Apache's .htaccess File Table of Contents 1. Introduction 1.1 About this tutorial 1.2 Using this tutorial 2. Needed Files 2.1 The .htaccess file 2.2 The .htpasswd file 2.3 The .htgroup file 2.4 The htpasswd program 2.5 The httpd.conf file 3. Creating The Files 3.1 Creating .htaccess 3.2 Creating .htpasswd 3.3 Creating .htgroup 3.4 Editing httpd.conf 4. Making changes 4.1 Changing a users password 4.2 Removing a user 5. Security 5.1 Setting permissions 5.2 Stop users from setting up .htaccess files 6. Configuration Tips 6.1 Denying all requests 6.2 Listing files in a directory 1. Introduction 1.1 About this tutorial This is a LinuxGuruz Tutorial. It uses plain language and progresses to give the user a guide to acomplish a task. 1.2 Using this tutorial In this tutorial ServerRoot is "/usr/local/Apache" and DocumentRoot is "/usr/local/Apache/htdocs". Back To the Table of Contents 2. Needed Files 2.1 The .htaccess file This file should be placed in the directory you want to protect and does not have to be called .htaccess. It can be called any name you choose. When a Web request is made to the Web Server every directory is checked starting with the ServerRoot and ending with the directory the requested file is in for a .htaccess file. The ServerRoot directive sets the directory in which the server lives. Typically it will contain the subdirectories conf/ and logs/. If a .htaccess file is found in a directory its directives are applied to that directory and every sub directory below it. 2.2 The .htpasswd file This file can be placed anywhere except in the Apache Web Server DocumentRoot so that its not Web accessible. The Apache conf/ Directory is a good choice. The DocumentRoot sets the directory from which the httpd will serve files. This file does not have to be called .htpasswd. It can be called any name you choose. 2.3 The .htgroup file This file can be placed anywhere except in the Apache Web Server DocumentRoot so that its not Web accessible. The Apache conf/ Directory is a good choice. This file does not have to be called .htgroup. It can be called any name you choose. 2.4 The htpasswd program This program creates and updates user authentication files (.htpasswd). 2.5 The httpd.conf file This file is the main Apache Server configuration file. The Web Server gets its directives instructions from this file. Back To the Table of Contents 3. Creating The Files 3.1 Creating .htaccess This file should contain the following lines. AuthUserFile /usr/local/apache/conf/.htpasswd AuthGroupFile /dev/null AuthName ranman AuthType Basic require user ranman To add Multiple Usernames and Passwords use the following lines. AuthUserFile /usr/local/apache/conf/.htpasswd AuthGroupFile /usr/local/apache/conf/.htgroup AuthName ranman AuthType Basic require group ranman The line AuthType Basic means HTTP Basic Authentication. Back To the Table of Contents 3.2 Creating .htpasswd This file is created with the htpasswd program with the following command line. htpasswd -c /usr/local/apache/conf/.htpasswd ranman To add Multiple Usernames and Passwords use the following command lines. Note that the -c flag is not used here. The -c flag creates a passwdfile. If the passwdfile already exist it is deleted first. htpasswd /usr/local/apache/conf/.htpasswd sweep htpasswd /usr/local/apache/conf/.htpasswd lindy htpasswd /usr/local/apache/conf/.htpasswd ted htpasswd /usr/local/apache/conf/.htpasswd cartman 3.3 Creating .htgroup This file is used for Multiple Usernames and Passwords and should contain the following line. ranman: sweep lindy ted cartman 3.4 Editing httpd.conf To allow users to setup .htaccess files which can override all your configured httpd.conf directives place these lines in httpd.conf. AllowOverride All Order allow,deny Allow from all The AllowOverride All line means the .htaccess files in directories can override any directives in the httpd.conf file. This line controls which directives the .htaccess files can override. This can be None, All, or any combinations of Options, FileInfo, AuthConfig, and Limit. If the line was "AllowOverride Limit" it would allow the user control host access directives (allow, deny and order). The nane of the .htaccess files cam be changed in the httpd.conf line by changing the line "AccessFileName .htaccess" to whatever name you choose. For example the line "AccessFileName .auth" means before returning the requested document /usr/local/apache/htdocs/index.html the Web Server will read /.auth, /usr/.auth, /usr/local/.auth, /usr/local/apache/.auth and /usr/local/apache/htdocs/.auth (unless they have been disabled. [see: 5.2 Stop users from setting up .htaccess files.]) Back To the Table of Contents 4. Making changes 4.1 Changing a users password To change a users password remove the user's password line from the /usr/local/apache/conf/.htpasswd and recreate it with the following command line. htpasswd /usr/local/apache/conf/.htpasswd 4.2 Removing a user To removing a user remove the user's password line from the /usr/local/apache/conf/.htpasswd file. Back To the Table of Contents 5. Security 5.1 Setting permissions Use the following commands to set permissions on the files. chmod 644 .htaccess chmod 644 /usr/local/apache/conf/.htpasswd chmod 644 /usr/local/apache/conf/.htgroup 5.2 Stop users from setting up .htaccess files To prevent users from setting up .htaccess files which can override your configured httpd.conf directives place these lines in httpd.conf. AllowOverride None Options None allow from all Back To the Table of Contents 6. Configuration Tips 6.1 Denying all requests To deny all requests to a directory place the following lines in the .htaccess file. order deny,allow deny from all 6.2 Listing files in a directory To list the all the files in a directory and its sub directorys by disabling index.html add the following lines in the .htaccess file. Options -Indexes Back To the Table of Contents Article written by Ranman