FAQS

Introduction

The .htaccess file is an ASCII text document that can be placed in any directory on your site. It can be used to control access to files anddirectories, and customize some server operation in your site. An .htaccess file can be created in any word processor but must be saved as text only. You must use FTP software in ASCII mode to upload your .htaccess file or you must edit within telnet. For the examples provided here, place the .htaccess file in your root directory.

You will need the following basic skills:

•  Ability to telnet or ftp and log in to your virtual domain

•   Ability to use a text editor. (Such as joe or pico on our system or notepad on your system.)

•   Working knowledge of paths and basic filesystem navigation (cd, mkdir,  etc.)

•  An FTP program set to upload in text mode (very important to be text)

The ".htaccess" file is just that. A file called .htaccess located in one or many of the directories in your virtual server. Traditionally this file has controlled access to the pages in a directory (thus the access part of the file name). With the newer versions of Apache, some of the server configuration parameters are controllable from the this file.
 
When your virtual server goes to hand out a file, it starts checking in the top directory for a .htaccess file, and then checks each subdirectory down to and including the directory that your file is in. Thus you can set the defaults for a virtual server by placing a .htaccess file in the top directory of that virtual server, or for multiple virtual servers at once by placing the file in your home directory (e.g. one directory above the top directories of all your virtual servers). Below are some examples of its uses.

 

Redirects

This is a nice simple way to push a browser over to a different page if you've re-organized your web-site :-)
 
If you moved a page in somedir from old.htm to new.htm then the appropriate line to add to your .htaccess file would be:
 
Redirect /somedir/old.htm http://your.domain/somedir/new.htm

Since you get to specify the full URL to the new page, you can bounce the browser to another server if you want. This also works for directories.

 

Error Documents

I suspect we've all seen this before:
 
File Not found

The requested URL /someone/mistyped/a/link.html was not found on this
server.
 
These pages are examples of Error Documents. Most types of errors that the web server can run into have error numbers. For example "Not Found" is error 404. ( List of Errors below.) The specification of an error document is easy. You add "ErrorDocument", the three digits of the error number and the either the error string or the page to go to. The following examples show the three forms:

ErrorDocument 401 "<body bgcolor=#ffffff><h1>You have to <b>BUY</b> a
<a href="/www/">subscription!</A>
 
ErrorDocument 403 /somedir/forbidden.html
ErrorDocument 404 http://yourdomain.com/somedir/notfound.html

Error in Client
Number Description
400 Bad Syntax
401 Unauthorized
402 Not Used (Payment Granted)
403 Forbidden
404 Not Found
Error in Server
500 Internal Error
501 Not Implemented
502 Overloaded
503 Gateway Timeout

 

Changing MIME-Types

Changing Mime-types is easy. Just create a .htaccess file that looks like this:
 
AddType new-mime-type xxx

note the period is not used in the extension
the above extension would be for .xxx files
 

The following is an example use of the .htaccess file. Let's assume then the path and filename of the .html file you would like to be that it resides at /home/someuser/www/.htaccess.

 

Denying User Access

Add the following to the .htaccess file:
 
<Limit GET>
order allow,deny
deny from 128.23.45.
deny from 207.158.255.213
allow from all
</Limit>
 
This is an example of a .htaccess file that will block access to your site to anyone who is coming from any IP address beginning with 128.23.45 and from the specific IP address 207.158.255.213 . By specifying only part of an IP address, and ending the partial IP address with a period, all sub-addresses coming from the specified IP address block will be blocked. You must use the IP addresses to block access, use of domain names is not supported.

This should help you set up protection on a directory via the Basic HTTP Authentication method. This method also uses the standard plaintext password file.
 
So let's suppose you want to restrict files in a directory called turkey to username pumpkin and password pie. Here's what to do:
 
Create a file called .htaccess in directory turkey that looks like this:
 
AuthUserFile /home/someuser/www/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

<Limit GET>
require user pumpkin
</Limit>

Note that the password file will be in another directory (/home/someuser/www).
 
AuthUserFile must be the full Unix pathname of the password file.
 
Also note that in this case there is no group file, so we specify
/dev/null (the standard Unix way to say "this file doesn't exist").
 
AuthName can be anything you want. The AuthName field gives the Realm name for which the protection is provided. This name is usually given when a browser prompts for a password, and is also usually used by a browser in correlation with the URL to save the password information you enter so that it can authenticate automatically on the next challenge.
 
AuthType should be set to Basic, since we are using Basic HTTP Authentication. Other possibilities for are PEM, PGP, KerberosV4, KerberosV5, or Digest. These would specific to a custom install
 
In this example, only the method GET is restricted using the LIMIT directive. To limit other methods (particularly in CGI directories), you can specify them separated by spaces in the LIMIT directive. For example:

<LIMIT GET POST PUT>
require user pumpkin
</LIMIT>

If you only use GET protection for a CGI script, you may be finding that the REMOTE_USER environment variable is not getting set when using METHOD="POST", obviously because the directory isn't protected against POST.
 
Create the password file /home/someuser/www/.htpasswd

The easiest way to do this is to use the htpasswd program distributed with HTTPd. Do this:
 
htpasswd -c /home/someuser/www/.htpasswd pumpkin

Type the password -- pie -- twice as instructed.
 
Check the resulting file to get a warm feeling of self-satisfaction; it should look like this:
 
pumpkin:y1ia3tjWkhCK2

That's all. Now try to access a file in directory turkey -- your browser should demand a username and password, and not give you access to the file if you don't enter pumpkin and pie. If you are using a browser that doesn't handle authentication, you will not be able to access the document at all.

Advanced Accecss Control
Multiple Usernames/Passwords

If you want to give access to a directory to more than one username/password pair, follow the same steps as for a single username/password with the following additions:
 
Add additional users to the directory's .htpasswd file.
 
Use the htpasswd command without the -c flag to add additional users; e.g.:
 
htpasswd /home/someuser/www/.htpasswd peanuts
htpasswd /home/someuser/www/.htpasswd almonds
htpasswd /home/someuser/www/.htpasswd walnuts

Create a group file.
 
Call it /home/someuser/www/.htgroup and have it look something like this:
 
my-users: pumpkin peanuts almonds walnuts

... where pumpkin, peanuts, almonds, and walnuts are the usernames.
 
Then modify the .htaccess file in the directory to look like this:
 
AuthUserFile /home/someuser/www/.htpasswd
AuthGroupFile /home/someuser/www/.htgroup
AuthName ByPassword
AuthType Basic

<Limit GET>
require group my-users
</Limit>

Note that AuthGroupFile now points to your group file and that group my-users (rather than individual user pumpkin) is now required for access.
 
That's it. Now any user in group my-users can use his/her individual username and password to gain access to directory turkey.
 
Following are several examples of the range of access authorization capabilities available.
 
Protection by network domain.
 
This document is only accessible to clients running on machines inside domain netbasiks.com.
 
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName ExampleAllowFromnetbasiks
AuthType Basic

<Limit GET>
order deny,allow
deny from all
allow from .netbasiks.com
</Limit>

Protection by network domain -- exclusion.
 
This document is accessible to clients running on machines anywhere but inside domain verio.net
 
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName ExampleDenyFromVerio
AuthType Basic

<Limit GET>
order allow,deny
allow from all
deny from .verio.net
</Limit>

 

Different Default Home Page

Add the following to the .htaccess file:
 
DirectoryIndex filename.html
 
Then a request for http://domain-name.net/ would return
http://domain-name.net/filename.html if it exists, or would list the directory if it did not exist.
 
To automatically run a cgi script, add the following to the .htaccess file:
 
DirectoryIndex /cgi-bin/index.pl
 
This would cause the CGI script /cgi-bin/index.pl to be executed.
 
If you place your .htaccess file containing the DirectoryIndex specification in the root directory of your site, it will apply for all sub-directories at your site.

FRONTPAGE WARNING:
Any modifications to your .htaccess file can corrupt your extensions and render your site inaccessible. A backup copy of your .htaccess file should be made before you attempt any
changes.
 
FrontPage sites have a .htaccess file in the root directory that is created when the FrontPage extensions are installed. FrontPage users should proceed with caution and make a backup copy of their .htaccess file before making any changes. Incorrect changes to your .htaccess file can result in your site being unreachable.

 

FAQS

What is .htaccess?
.htaccess is a versitle method of changing how your web page reacts. Some examples of its uses are to protect data via password protection or even only allowing only certain hosts. You can redirect certain pages to other pages. Its worth reading the above information.

Can I use frontpage and .htacces at the same time?
No. Unfortunately Frontpage has its own .htaccess and they conflict with manualy edited .htaccess. See the Warning section of this doc.
 
Is there an easier way than manualy making .htaccess?
You can make use of the directory protection services in the control panel.