To use this facility, simply create a file called ".htaccess", within the web content directory that you wish to control. This file must have permissions 0644, but can never be displayed by the web server. However, since the directory path containing it must be at least world-executable, it can be examined by any user logged in to Unix. They may not be able to search for it, but if they suspect the file is there, they can certainly read it.

There was a previous example of using a ".htaccess" file to allow a web surfer to see a directory listing of a portion of your web site. The example required a ".htaccess" file that contained the phrase "Options Indexes". This allows the web server to show a directory listing if the specified web directory does NOT contain an "index.html" file. If there is an "index.html", then any "Options Indexes" clause in a

".htaccess" file will be ignored. This applies even if the permissions of "index.html" do not allow it to be displayed.

Note that the effect of ".htaccess" files is cumulative. They not only apply to the directory containing them, but also to all subordinate directories. If an entire hierarchy of directories contains ".htaccess" files, then the effect is usually to apply the most restrictive of the rules encountered.

".htaccess" files can also be used to restrict access to certain IP address or Internet Domain Names. The department uses the latter rules to restrict access to portions of the site that are classified as "local-only". This is done with an access file that contains:

Order Deny,Allow
Deny From All
Allow From 142.3

With a Deny,Allow option the rule reads as: "Deny access to everyone except web clients whose IP Address starts with 142.3". The University of Regina's IP Addresses are all in the 142.3 block, so access is only allowed to on-campus users. i.e. "local-only".

Another common use for ".htaccess" files is to require that a user id and password be provided to access some part of a web site. Setting this up is a two part process. First of all, you must use the "htpasswd" command to create a user id and password file. For details about how to use this command see "man htpasswd". The password file that you create should not be anywhere within your "public_html" directory tree. Typically the file is created in the root of your home directory. Once the password file exists, create an ".htaccess" file that contains:

AuthUserFile /home/hercules/u/username/Name_of_Your_Password_File
AuthGroupFile /dev/null
AuthName "My Friends Only!"
AuthType Basic

Require Valid-User

Note: As previously mentioned, this ".htaccess" file only restricts web surfers. Anyone who can log in to Unix can still see the files in the protected directory, as long as they know the name of the file. Since the actual file name is revealed in the URL, it isn't hard to figure out! This means that this technique alone is not particularly useful for such things as limiting access to solutions to assignments. However, if the directory being protected contained a web form that ran a script, then the script can display files that are not world-readable. This could be done with a variant of the PHP example shown in the PHP section.

Not only can these various options be used independently, they can all be combined into a single ".htaccess" file. For a thoroughly nonsensical example, we want to allow anyone in the world, except people in the CS Department or Microsoft, to look at a directory listing, as long as they know the secret password!

Options Indexes

AuthUserFile /home/hercules/u/username/Name_of_Your_Password_File
AuthGroupFile /dev/null
AuthName "No Computer Geeks!"
AuthType Basic

Satisfy All

Order Allow,Deny
Allow From All
Deny From cs.uregina.ca, microsoft.com

Require Valid-User