Back To Home HomePage


Protecting Content With .htaccess Files

.htaccess files are very versitile, and can easily become very complex.  This document contains enough information to set simple access restrictions/limits on a directory in your web space.

Remember to upload .htaccess files, and .htpasswd files using ASCII mode. This is an option is available in most FTP clients.


Username/Password Protection

This schema will prompt web users to enter a CASE SENSITIVE username/password pair before serving any content within the directory containing the .htaccess file.  In the simplest of cases there are two files involved, the .htaccess file, and the password file.

The password file is a text file containing a username and an encrypted password, seperated by a colon.  You can use one password file for many .htaccess files.  The entries can be generated here.

The .htaccess file would be placed in the directory that needs password protection, and would look something like this:

AuthUserFile /usr/ppp/l/lee/htpasswd - FULL path to the password file.  This file doesn't have to be in your public_html.
AuthName "Lee's Secret Area" - This description will appear in the login screen. Multiple words require quotes.
AuthType Basic - Just a line that is required.
<Limit GET POST> - Start of the limit tag.  This will set limits on GET's and POST's.
require valid-user - Sets area restrictions such that the user must have a valid login.
</Limit> - End of the limit tag.

If you are using one password file for multiple .htaccess files, and would like certain users to have access to some areas, but not others, you may want to try one of the following:

a) specify the users by using require user userid:

<Limit GET POST>
require user cisco
require user bob
require user tim
</Limit>

b) setup a group file. This requires you to specify AuthGroupFile.   You can now require group whatever.

.htaccess example

AuthUserFile /usr/ppp/l/lee/htpasswd
AuthGroupFile /usr/ppp/l/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
require group managers
</Limit>

AuthGroupFile example:

managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja


Restricting by IP Address

 

This only requires the .htaccess file.  There are two approaches to restricting by IP address:

a) deny everyone access, then allow certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net
</Limit>

b) allow everyone except for certain hosts/IP addresses

AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from .microsoft.com
deny from .evil-hackers.org
deny from 24.112.106.235
deny from morphine.wiretap.net
</Limit>


More Examples

Try crunching the above together into one:

a) only managers can view this page from a .golden.net IP address:

htaccess:
AuthUserFile /usr/ppp/l/lee/htpasswd
AuthGroupFile /usr/ppp/l/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>

AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja

b) managers can view this page from anywhere, everyone else must be from a golden.net IP address:

htaccess:
AuthUserFile /usr/ppp/l/lee/htpasswd
AuthGroupFile /usr/ppp/l/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
Satisfy Any                       
Default is Satisfy ALL
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>

AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja


More

Check out apache's web site http://www.apache.org for more stuff you can use in your htaccess file.  If you have a question regarding htaccess, please contact corpsupport@execulink.com (Execulink Telecom clients only please).