Configuring HTAccess file in Debian

**Anilrgowda** · 03-Dec-2006, 08:02 AM

Web-based user authentication using HTAccess. Web-based authentication denies web access to visitors who do not give a valid username and password. This feature allows Webmasters
to restrict access to certain directories.

The following is an example use of the .htaccess file. Let's assume that it resides at /home/www/test/public_html/private/.htaccess

AuthUserFile /home/www/test/public_html/private/.htpasswd
AuthGroupFile /dev/null
AuthName "test Secret Section"
AuthType Basic

require valid-user

The .htaccess file affects the directory in which it is placed, so in this example, any visitor requesting would be presented with an authentication request.

The .htaccess file also affects directories recursively below it. Therefore, requesting www.test.com/private/evenmore/> would yield the same authentication request unless test/private/evenmore had a .htaccess file of its own.

The first line, starting with AuthUserFile, tells the webserver where to find your username/password file. We'll create that file in a minute. For now, change the AuthUserFile line as necessary for your use.

Notice that the AuthName in the example, "test Secret Section," is used in the authentication request.

Using your favorite text editor, create a file similar to the example, replacing AuthUserFile and AuthName with values for your situation. Be sure to name the file .htaccess.

Now that we understand the basic .htaccess model, how can we specify who is allowed? We'll create an .htpasswd file named in the AuthUserFile line above.

To create an .htpasswd file, go to the directory you specified in AuthUserFile. In the example, this is /home/www/test/public_html/private/. Then use the htpasswd program with the -c switch to create your .htpasswd in the current directory. (You have to do this in ssh)

Type htpasswd -c .htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again. You will not see the password when entering it here:

debian% htpasswd -c .mypasswds tacodog
Adding password for user paul
New password: type password
Re-type new password: re-type password

To add more users in the future, use the same command without the -c switch: htpasswd .htpasswd bob will add username "bob" to your .htpasswd file.

To delete users, open the .htpasswd file in a text editor and delete the appropriate lines:

username:v3l0KWx6v8mQM

bob:x4DtaLTqsElC2
Configuring HTAccess
Any COE user may setup a .htaccess file in their 'public_html/' directory and/or in any subdirectory created within that 'server root' directory. The main reasons a user would want to set the .htaccess file up are:

Block access to certain files, except to certain [COLOR=#009900 ! important][COLOR=#009900 ! important]domains[/color] (or competely).
Add an experimental or special mime-type
Password protect a private directory[/color]
The .htaccess file is basically a on-the-fly addition to our server configuration. It allows you to change some aspects of how the server operates on your files and directories. Note that some things have been blocked in order to keep [COLOR=#009900 ! important][COLOR=#009900 ! important]security[/color] as high as possible. The .htaccess file is placed in the directory that it operates on. It changes the permissions/settings for the directory it is in and all sub-directories contained therein. You may put an .htaccess file in a subdirectory of a directory controlled by another .htaccess file and it will happily work. The .htaccess file in the parent directory's settings remain in effect unless overridden in the sub-directory's .htaccess file. This is confusing just to describe so it probably shouldn't be done until you are an expert.

[/color] DIRECTIVES YOU CAN ADD TO THE .htaccess FILE

Allow
Deny
Order
Require
AddType
AuthUserFile
AuthGroupFile
AuthType
AuthName
DefaultType
ErrorDocument
ForceType
Options
Satisfy

That seems like a lot but they are really very simple. Further discussion of each follows the examples:

EXAMPLES
NOTE: Users of these directives for domains should remember that DNS lookups must be enabled (on your server) for it to translate 'baddomain.com' to an IP. If DNS lookups aren't on, then use the IP's. ( Ex. 133.123.4. will block every IP starting with the address 133.123.4. )

Example 1. Deny a Domain Access to a Directory.
.htaccess contains:
Order Deny,Allow
Deny from .thisbaddomain.com
Note that the Order directive makes sure that 'Deny's override Allows and not the other way.
Also, 'Allow from all' is the assumed default from our master configuration.
Example 2. Deny a Set of Files to a Domain.
.htaccess contains:

Order Deny, Allow
Deny from .thoseevilpeople.net

In this case only .gif files would be 'Deny'ed to anyone from .thoseevilpeople.net and only people from them. Since many people have more than one account (office/home) this is rarely used like this. It is more often used in 'Allow'ing ONLY one domain, like in the next example.

Also, the style of the Container Directives ( or ) is like HTML

Example 3. Allow Only One Domain and One
.htaccess contains:

Order Allow, Deny
Deny from all
Allow from .test1.com
Allow from .it

Note this example allows only people from 'test1.com's corporate office and people in Italy (.it) to view the files that begin with the letters 'barney'. This includes all sub-directories that contain files beginning with those letters and ALL the files in any directories that happen to begin with 'barney'.
Also, notice that we made 'Allow's come before 'Deny's in the 'Order' so that the all DOESN'T mean ALL.

Example 4. Add a Special Mime-Type to a Directory.
.htaccess contains:

AddType image/x-photoshop PSD
This causes the server to announce *.psd files as Content-Type: image/x-photoshop when sending it to the browser. Hopefully the browser knows that image/x-photoshop means run PhotoShop and give it this file. Normally this is used with a new or being tested Plug-In that doesn't have an entry in our master file yet. If you need this on a permanent basis or think it might be useful to others please send us mail about it so we can add it in for everyone.
Also, this will override current setting which makes 'AddType audio/x-dumbexample JPG' valid! You can change what jpg means in your directories.

Example 5.; Force All Files in a Directory to a Specific Mime-Type.
.htaccess contains:
ForceType image/jpg
The causes ALL files in the directory to be treated as JPEG files. No matter their extension.
Note, can NOT be use in a tag!
Example 6. Password Protect a Directory - Simple Form.
.htaccess contains:
AuthName Secret Directory Access
AuthType Basic
Require valid-user
AuthUserFile /home/yourusername/mypasswords/.nameoffile
.nameoffile contains:
user1:asdfasdfasdf2
user2:ergvdsdfef34f

'AuthName' causes the browser to display something like, "Enter username for Secret Directory Access at www.thedomain.com:" 'AuthType Basic' tells it to use the 'AuthUserFile' for authentication. (no other types are currently available.) 'Require valid-user' says to only allow a valid-user, you can also use 'Allow' and 'Deny' to stop certain domains.

The .nameoffile contains simple text usernames followed by a ':' and then encrypted password for that user.

Note that the file '.nameoffile' has a period in front of it and is NOT in the www directories. Putting your password file where it could be downloaded would be a VERY bad idea. It is possible to crack simple passwords (one word or name in all upper or lower case is crackable in seconds!) so it is recommended that you use good sense and pick tough passwords that contain a number, symbol, and letter combination. The dot in front of the file simply hides the file from view during normal file listing on unix systems.

It isn't real security but it does mark the file as special when YOU list it. The permissions on the file should be 644. This means that it can be read/write for you and world readable (webserver). Those people who have a full webserver running under their own userid (ask about this since it only occurs when requested and only on some account types), may set the permissions to 600 and disallow anyone else on the system from reading the files as well.

03-Dec-2006, 08:02 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,695 Join Date: Jan 2006 Rep Power: 10 IM:	Configuring HTAccess file in Debian Web-based user authentication using HTAccess. Web-based authentication denies web access to visitors who do not give a valid username and password. This feature allows Webmasters to restrict access to certain directories. The following is an example use of the .htaccess file. Let's assume that it resides at /home/www/test/public_html/private/.htaccess AuthUserFile /home/www/test/public_html/private/.htpasswd AuthGroupFile /dev/null AuthName "test Secret Section" AuthType Basic require valid-user The .htaccess file affects the directory in which it is placed, so in this example, any visitor requesting would be presented with an authentication request. The .htaccess file also affects directories recursively below it. Therefore, requesting www.test.com/private/evenmore/> would yield the same authentication request unless test/private/evenmore had a .htaccess file of its own. The first line, starting with AuthUserFile, tells the webserver where to find your username/password file. We'll create that file in a minute. For now, change the AuthUserFile line as necessary for your use. Notice that the AuthName in the example, "test Secret Section," is used in the authentication request. Using your favorite text editor, create a file similar to the example, replacing AuthUserFile and AuthName with values for your situation. Be sure to name the file .htaccess. Now that we understand the basic .htaccess model, how can we specify who is allowed? We'll create an .htpasswd file named in the AuthUserFile line above. To create an .htpasswd file, go to the directory you specified in AuthUserFile. In the example, this is /home/www/test/public_html/private/. Then use the htpasswd program with the -c switch to create your .htpasswd in the current directory. (You have to do this in ssh) Type htpasswd -c .htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again. You will not see the password when entering it here: debian% htpasswd -c .mypasswds tacodog Adding password for user paul New password: type password Re-type new password: re-type password To add more users in the future, use the same command without the -c switch: htpasswd .htpasswd bob will add username "bob" to your .htpasswd file. To delete users, open the .htpasswd file in a text editor and delete the appropriate lines: username:v3l0KWx6v8mQM bob:x4DtaLTqsElC2 Configuring HTAccess Any COE user may setup a .htaccess file in their 'public_html/' directory and/or in any subdirectory created within that 'server root' directory. The main reasons a user would want to set the .htaccess file up are: Block access to certain files, except to certain [COLOR=#009900 ! important][COLOR=#009900 ! important]domains[/color] (or competely). Add an experimental or special mime-type Password protect a private directory[/color] The .htaccess file is basically a on-the-fly addition to our server configuration. It allows you to change some aspects of how the server operates on your files and directories. Note that some things have been blocked in order to keep [COLOR=#009900 ! important][COLOR=#009900 ! important]security[/color] as high as possible. The .htaccess file is placed in the directory that it operates on. It changes the permissions/settings for the directory it is in and all sub-directories contained therein. You may put an .htaccess file in a subdirectory of a directory controlled by another .htaccess file and it will happily work. The .htaccess file in the parent directory's settings remain in effect unless overridden in the sub-directory's .htaccess file. This is confusing just to describe so it probably shouldn't be done until you are an expert. [/color] DIRECTIVES YOU CAN ADD TO THE .htaccess FILE Allow Deny Order Require AddType AuthUserFile AuthGroupFile AuthType AuthName DefaultType ErrorDocument ForceType Options Satisfy That seems like a lot but they are really very simple. Further discussion of each follows the examples: EXAMPLES NOTE: Users of these directives for domains should remember that DNS lookups must be enabled (on your server) for it to translate 'baddomain.com' to an IP. If DNS lookups aren't on, then use the IP's. ( Ex. 133.123.4. will block every IP starting with the address 133.123.4. ) Example 1. Deny a Domain Access to a Directory. .htaccess contains: Order Deny,Allow Deny from .thisbaddomain.com Note that the Order directive makes sure that 'Deny's override Allows and not the other way. Also, 'Allow from all' is the assumed default from our master configuration. Example 2. Deny a Set of Files to a Domain. .htaccess contains: Order Deny, Allow Deny from .thoseevilpeople.net In this case only .gif files would be 'Deny'ed to anyone from .thoseevilpeople.net and only people from them. Since many people have more than one account (office/home) this is rarely used like this. It is more often used in 'Allow'ing ONLY one domain, like in the next example. Also, the style of the Container Directives ( or ) is like HTML Example 3. Allow Only One Domain and One .htaccess contains: Order Allow, Deny Deny from all Allow from .test1.com Allow from .it Note this example allows only people from 'test1.com's corporate office and people in Italy (.it) to view the files that begin with the letters 'barney'. This includes all sub-directories that contain files beginning with those letters and ALL the files in any directories that happen to begin with 'barney'. Also, notice that we made 'Allow's come before 'Deny's in the 'Order' so that the all DOESN'T mean ALL. Example 4. Add a Special Mime-Type to a Directory. .htaccess contains: AddType image/x-photoshop PSD This causes the server to announce *.psd files as Content-Type: image/x-photoshop when sending it to the browser. Hopefully the browser knows that image/x-photoshop means run PhotoShop and give it this file. Normally this is used with a new or being tested Plug-In that doesn't have an entry in our master file yet. If you need this on a permanent basis or think it might be useful to others please send us mail about it so we can add it in for everyone. Also, this will override current setting which makes 'AddType audio/x-dumbexample JPG' valid! You can change what jpg means in your directories. Example 5.; Force All Files in a Directory to a Specific Mime-Type. .htaccess contains: ForceType image/jpg The causes ALL files in the directory to be treated as JPEG files. No matter their extension. Note, can NOT be use in a tag! Example 6. Password Protect a Directory - Simple Form. .htaccess contains: AuthName Secret Directory Access AuthType Basic Require valid-user AuthUserFile /home/yourusername/mypasswords/.nameoffile .nameoffile contains: user1:asdfasdfasdf2 user2:ergvdsdfef34f 'AuthName' causes the browser to display something like, "Enter username for Secret Directory Access at www.thedomain.com:" 'AuthType Basic' tells it to use the 'AuthUserFile' for authentication. (no other types are currently available.) 'Require valid-user' says to only allow a valid-user, you can also use 'Allow' and 'Deny' to stop certain domains. The .nameoffile contains simple text usernames followed by a ':' and then encrypted password for that user. Note that the file '.nameoffile' has a period in front of it and is NOT in the www directories. Putting your password file where it could be downloaded would be a VERY bad idea. It is possible to crack simple passwords (one word or name in all upper or lower case is crackable in seconds!) so it is recommended that you use good sense and pick tough passwords that contain a number, symbol, and letter combination. The dot in front of the file simply hides the file from view during normal file listing on unix systems. It isn't real security but it does mark the file as special when YOU list it. The permissions on the file should be 644. This means that it can be read/write for you and world readable (webserver). Those people who have a full webserver running under their own userid (ask about this since it only occurs when requested and only on some account types), may set the permissions to 600 and disallow anyone else on the system from reading the files as well.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)