Controlling Access to Your Web Site with .htaccess                                  

.htaccess files can be created within a simple text editor (Notepad, vi, etc.). We will go through several simple examples of restricting access using an .htaccess file in your web directory.

Put your .htaccess file in the web directory for which you want to control access.

Typically, that is the 'public_html' directory, unless your webserver has determined a different directory name is used. You can have multiple .htaccess files each one in a different subdirectory within your web directory. Those would only be needed if you wanted different setting within different directories. If you want the same setting for every directory, then just one .htaccess file at highest level is all you need.

It is possible to restrict access to your web pages to only particular IP addresses, hostnames, or groups of addresses and hostnames. For example, if we wanted noone to be able to access a particular web page except someone from IP address 160.36.160.45 and IP name winmax.ws.utk.edu we could put these lines in our .htaccess file.

Order Deny,Allow
Deny from all
allow from 160.36.160.45
allow from winmax.ws.utk.edu

IP restricted access

This denies everyone access but then allows access from the two sources listed above.

You can map an old URL to a new one. The new URL is sent to the web client (browser), which attempts to fetch it again with the new address. This is useful if you change your web address and users still have the old one.

Redirect /hurricane http://www.nhc.noaa.gov

This redirects anyone that tries to access http://bmw.ws.utk.edu/hurricane to http://www.nhc.noaa.gov

http://bmw.ws.utk.edu/hurricane

ErrorDocument 404 http://bmw.ws.utk.edu/htaccess/examples/errors/docs/404.html

http://bmw.ws.utk.edu/htaccess/examples/errors/php

404 error page source code

You can prevent this by entering a command in your .htaccess file. You would then not have to create a lot of new 'index' files to prevent users from looking at your directories.

Options -Indexes

Index allowed
Index disallowed

You can allow an index listing if it is normally disallowed. Just put a '+' instead of a '-.'

You can use the ReWriteEngine to prevent this from occuring. Put the lines below in .htaccess file of the web directory of the images you are wanting to protect. 'mod_rewrite' needs to be enabled on your server in order for this aspect of .htaccess to work. The module would have to be installed upon the installation of Apache.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(bmw\.)?ws.utk.edu/.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]

Hot-linking

By defining the PHP configuration variables auto_prepend_file, and auto_append_file, within your .htaccess file the values assigned will appear on every web page viewed. You will need to make your pages PHP pages by either putting the .php extention instead of .html or having your Apache webserver parse everything as PHP. Your web administrator can do that for you.

php_value auto_prepend_file "/where/your/header/is/header.inc"
php_value auto_append_file "/where/your/footer/is/footer.inc"

Auto Prepend/Append
index.php
subdirectory/index.php
header.inc
footer.inc

When using Basic Authentication you will use a tool within Apache, 'htpasswd,' at the command-line to create and edit a flat file on your filesystem to authenticate against. Lets create a userid 'john.'

htpasswd -c .htpasswd john

By putting the '-c' we are creating a new .htpasswd file. If we already had a file in place we would omit the '-c.' then we would just be adding a new user to an existing file. The .passwd file is created/edited and the userid and the encrypted password are saved to the file.

Then you need to make entries to your .htaccess file.

AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /where/you/put/your/passwords
Require valid-user

Authentication

(From the Apache website)

Optionally, create a group file

Most of the time, you will want more than one, or two, or even a dozen, people to have access to a resource. You want to be able to define a group of people that have access to that resource, and be able to manage that group of people, adding and removing members, without having to edit the server configuration file, and restart Apache, each time.

This is handled using authentication groups. An authentication group is, as you would expect, a group name associated with a list of members. This list is stored in a group file, which should be stored in the same location as the password file, so that you are able to keep track of these things.

The format of the group file is exceedingly simple. A group name appears first on a line, followed by a colon, and then a list of the members of the group, separated by spaces. For example:

class: john sally sam

Once this file has been created, you can Require that someone be in a particular group in order to get the requested resource. This is done with the AuthGroupFile directive, as shown in the following example.

AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /where/you/put/your/passwords
AuthGroupFile /where/you/put/your/groupfile
Require group class

The authentication process is now one step more involved. When a request is received, and the requested username and password are supplied, the group file is first checked to see if the supplied username is even in the required group. If it is, then the password file will be checked to see if the username is in there, and if the supplied password matches the password stored in that file. If any of these steps fail, access will be forbidden.

You should communicate across SSL (https) connection when requiring authentication.

Group Authentication