Protecting Content With .htaccess Files
.htaccess files are very versitile, and can easily become very complex. This document contains enough information to set simple access restrictions/limits on a directory in your web space.
Remember to upload .htaccess files, and .htpasswd files using ASCII mode. This is an option is available in most FTP clients.
Username/Password Protection
Note: this does not work on the PHP5 web servers at Darkscape
This schema will prompt web users to enter a CASE SENSITIVE username/password pair before serving any content within the directory containing the .htaccess file. In the simplest of cases there are two files involved, the .htaccess file, and the password file.
The password file is a text file containing a username and an encrypted password, seperated by a colon. You can use one password file for many .htaccess files. The entries can be generated in the members login area.
The .htaccess file would be placed in the directory that needs password protection, and would look something like this:
AuthUserFile /home/username/htpasswd - path to the password file.
AuthName "Tom's Secret Area" - Description which appears in the login screen.
AuthType Basic - A line that is required.
- Start of the limit.
require valid-user - Sets area restrictions, user must have a valid login.
- End of limit.
If you are using one password file for multiple .htaccess files, and would like certain users to have access to some areas, but not others, you may want to try one of the following:
a) specify the users by using require user userid:
require user cisco
require user bob
require user tim
b) setup a group file. This requires you to specify AuthGroupFile. You can now require group whatever.
.htaccess example
AuthUserFile /home/username/htpasswd
AuthGroupFile /home/username/htgroup
AuthName "Tom's Secret Area"
AuthType Basic
require group managers
AuthGroupFile example:
managers: cisco bob tim jeff kari
systems: tom joe cisco
sales: kari tonja
Restricting by IP Address
This only requires the .htaccess file. There are two approaches to restricting by IP address:
a) deny everyone access, then allow certain hosts/IP addresses
AuthName "Tom's Secret Area"
AuthType Basic
order deny,allow
deny from all
allow from 199.166.210.
allow from .darkscape.net
allow from proxy.aol.com
allow from fish.wiretap.net
b) allow everyone except for certain hosts/IP addresses
AuthName "Tom's Secret Area"
AuthType Basic
order allow,deny
allow from all
deny from .microsoft.com
deny from .evil-hackers.org
deny from 24.112.106.235
deny from morphine.wiretap.net
More Examples
Try crunching the above together into one:
a) only managers can view this page from a .darkscape.net IP address:
htaccess:
AuthUserFile /home/username/htpasswd
AuthGroupFile /home/username/htgroup
AuthName "Tom's Secret Area"
AuthType Basic
order deny,allow
deny from all
allow from .darkscape.net
require group managers
AuthGroupFile:
managers: cisco bob tim jeff kari
systems: tom joe cisco
sales: kari tonja
b) managers can view this page from anywhere, everyone else must be from a darkscape.net IP address:
htaccess:
AuthUserFile /home/username/htpasswd
AuthGroupFile /home/username/htgroup
AuthName "Tom's Secret Area"
AuthType Basic
Satisfy Any
* Default is Satisfy ALL
order deny,allow
deny from all
allow from .darkscape.net
require group managers
AuthGroupFile:
managers: cisco bob tim jeff kari
systems: tom joe cisco
sales: kari tonja