.htaccess Web Access Control

Michael John Muuss

In order to allow individual Web content providers with the ability to control access to Web pages, the NCSA and Apache servers look for a file named ".htaccess" in each directory along the path to a Web document. In general top level directories are left public and have no ".htaccess" file, while some lower directories might be restricted. In special cases two levels of protection might be employed, for example there might be a set of documents that is protected for ".mil" hosts only, with one subdirectory inside that also requiring a password to be supplied, to further limit distribution.

WARNING: Only the lowest .htaccess file along the path affects access; clients can skip over protected directories if they know the URL to lesser protected directories below there. This is counter-intuitive, but it's the way things work, in both the NCSA and Apache servers.

These types of access restrictions are often employed to create Web pages internal to an organization. The fashionable buzzword for this is an "IntraNet", a phrase which I don't care for.

There are two styles of access control available.

Domain-name based access control

It is possible to restrict access to machines which have a hostname (fully qualified domain name, FQDN) which match a certain pattern or patterns. Hosts which do not match the patterns will not be permitted access. Hosts which are not registered with the domain name service (DNS) will not be permitted access.

This example is the most commonly needed one for ARL users -- it restricts access to military and government machines only. To implement this type of access control, place these lines in your ".htaccess" file:

Options All
<Limit GET>
order deny,allow
deny from all
allow from .mil .gov
allow from localhost
</Limit>

To restrict to ARL machines, just change the "allow" rule, like this:

Options All
<Limit GET>
order deny,allow
deny from all
allow from arl.army.mil
allow from localhost
</Limit>

Password based access control

To implement this type of access control, place these lines in your ".htaccess" file:

Options All

AuthType Basic
AuthName [HTTP Authentication Realm]
AuthUserFile /var/www/conf/passwd

<Limit GET>
require valid-user
</Limit>

You'll need to get an executable copy of the "htpasswd" program to allow you to establish user names and assign them passwords. The passwords used for Web pages must be different than login passwords, because they travel on the network in the clear.

The message in the square brackets "[]" is a text string that will be displayed to the user when they are prompted for the password. The path to the password file may need to be modified for your application; it can even be located in the current directory as a "dot file".

For more information, see the NCSA HTTPd Access Configuration documentation.



UP