Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by VinkoVrsalovic: http://wiki.apache.org/httpd/ScratchPad/htaccess The comment on the change is: Major reordering and a bit of new content and tweaking ------------------------------------------------------------------------------ Not really; .htaccess files '''''can''''' be used to provide password protection the same way the main configuration files can be used to provide password protection; there is nothing special about .htaccess for this purpose. - == When should I & should I not use .htaccess files? == + === It must be called .htaccess === + Nope, you can define its name through the [http://httpd.apache.org/docs/2.0/mod/core.html#accessfilename AccessFileName] directive. It isn't recommended practice, though, specially if you'll provide shared hosting or something like that were + unknown people will have web space and expect .htaccess files to be supported. + + == When should I (not) use .htaccess files? == + - === Should Use === + === Should use === .htaccess files should really only be used when you cannot directly edit the main configuration files! - Using htaccess files will cause apache to search for them in every directory it recurses into. It will then read this every time it enters the directory + Using .htaccess files will cause Apache to search for them in every directory it recurses into every time the .htaccess + containing directory is accessed, for a better explanation, see ["ScratchPad/htaccessGotchas"]. (move that explanation here?) === Should not use === - You should not use htaccess when : + You should not use .htaccess when: 1. When you have access to edit the main server configuration file(s) - 1. When server performance is of concern to you as these can have a negative impact on server performance. - 1. When untrusted people host websites on the server. (See notes on how to disable .htaccess files) + 1. When server performance is of concern to you. + 1. When untrusted people host websites on the server. (See How can I prevent users from using .htaccess? and How can I control what users can do with .htaccess files? (How to link to headings of this doc????) ) + == How can I create a new .htaccess file? == - === But it's ugly having all that stuff in the main config file === + Use your favourite editor to create a .htaccess file in the folder where you want it to take affect. + Make sure that the file can be read by Apache's UID. - Well, it might be, but you can use the Include directive to alleviate that if it really bothers you! + == What can I do with my .htaccess file? == + .htaccess files are containers for subset of Apache directives. .htaccess files apply only to the directory they're placed in and all its descendants. - Let's suppose you dislike huge config files and that, for instance, you want to provide password authentication for all your virtual hosts. You could put a .htaccess in the root of each virtual host, or you could create a - subdirectory within the Apache config directory, containing a config file per vhost with the proper directives -- such as /usr/local/apache2/conf/vhosts-protection. Then, in httpd.conf, you could write + This means you can think of .htaccess files as dynamically adding the following to the master Apache configuration: - {{{ - Include /usr/local/apache2/conf/vhosts-protection/*.conf - }}} - - '''/usr/local/apache2/conf/vhosts-protection/vhost-1.conf''' - {{{ - <Directory /var/www/html/vhost-1> - AuthType Basic - AuthName "Authentication Required" - AuthUserFile /etc/htpasswd/vhost-1/.htpasswd - Require valid-user - - Order allow,deny - Allow from all - </Directory> - }}} - - And so on for the rest of your virtual hosts. - - Now let's suppose you really must use .htaccess files; the .htaccess file should be located in /var/www/html/vhost-1/ should look like: - - '''/var/www/html/vhost-1/.htaccess''' - {{{ - AuthType Basic - AuthName "Authentication Required" - AuthUserFile /etc/htpasswd/vhost-1/.htpasswd - Require valid-user - - Order allow,deny - Allow from all - }}} - - As you can see, .htaccess files are restricted to the directory they're placed in, and thus you can think of .htaccess files as dynamically adding the following to the master Apache configuration: {{{ <Directory /path/to/folder-with.htaccess> @@ -81, +56 @@ </Directory> }}} - - == How do I use .htaccess files? == - - .htaccess files are containers for certain, restricted Apache directives. Note that some directives might be ignored due to Override configuration in the main config files. - - You must place the .htaccess file in the directory where you want it to effect changes. For example if you want to use a .htaccess file to force authentication for www.example.com/admin + You must place the .htaccess file in the directory where you want it to effect changes. For example if you want to use a .htaccess file to force authentication for http://www.example.com/admin If your !DocumentRoot is {{{ @@ -97, +67 @@ {{{ /var/www/html/www.example.com/admin }}} + + === That's ok, but what CAN I do? === + + You can put in a .htaccess file any Apache directive that the administrator chooses to enable, from the subset of directives Apache itself supports in .htaccess files, by setting the !AllowOverride directive correctly. + + To check what the administrator enabled, contact her or your hosting provider, or just try. + + To check what directives Apache supports in .htaccess files, find the directive you would like to use in a .htaccess file in the documentation and check out the "Context:" section. If it says .htaccess, then that directive is valid in .htaccess, although it could have been disabled by the administrator, of course. + + Ok, ok an example. Let's suppose you really must use .htaccess files; and that you want to password protect the site we talked about above, located at /var/www/html/www.example.com/admin. A .htaccess file for that task should look like: + + '''/var/www/html/www.example.com/admin/.htaccess''' + {{{ + AuthType Basic + AuthName "Authentication Required" + AuthUserFile /etc/htpasswds/.htpasswd.example.com + Require valid-user + + Order allow,deny + Allow from all + }}} + + == How can I control what users can do with .htaccess files? == + + By setting AllowOverride properly in the proper <Directory> directive. See [http://httpd.apache.org/docs/trunk/mod/core.html#allowoverride AllowOverride] docs. + + == But, I really dislike having all the directives in one huge config file, and .htaccess files help me with that! == + + You can use the Include directive to alleviate that if it really bothers you! Let's see how. + + We'll suppose you dislike huge config files and that, for instance, you want to provide password authentication for all your virtual hosts. You could put a .htaccess in the root of each virtual host, or you could create a + subdirectory within the Apache config directory, containing a config file per vhost with the proper directives -- such as /usr/local/apache2/conf/vhosts-protection. Then, in httpd.conf, you could write + + {{{ + Include /usr/local/apache2/conf/vhosts-protection/*.conf + }}} + + '''/usr/local/apache2/conf/vhosts-protection/www.example1.com.conf''' + {{{ + <Directory /var/www/html/www.example1.com> + AuthType Basic + AuthName "Authentication Required" + #Change the following to either a single file for all domains or to a different naming scheme if you like + AuthUserFile /etc/htpasswds/.htpasswd.example1.com + Require valid-user + + Order allow,deny + Allow from all + </Directory> + }}} + + And so on for the rest of your virtual hosts. == How can I prevent users from using .htaccess? == @@ -110, +132 @@ </Directory> }}} - ''Remember the apllication of a <Directory> block is recursive. So if you set it at the top level is will apply to all sub-directories unless explicity reversed.'' + ''Remember the aplication of a <Directory> block is recursive. So if you set it at the top level is will apply to all sub-directories unless explicity reversed through a different <Directory> directive.'' - - == How can I control what users can do with .htaccess files? == - - By setting AllowOverride properly. See [http://httpd.apache.org/docs/trunk/mod/core.html#allowoverride AllowOverride] docs. - - == How can I create a new .htaccess file? == - - Use your favourite editor to create a .htaccess file in the folder where you want it to take affect. - Make sure that the file can be read by Apache's UID. - - == What can I do with my .htaccess file? == - - You are restricted in two ways: what the administrator chooses to enable, and what Apache itself supports. To check the first one, contact your administrator (or hosting provider, or just try); to check the second way, find the directive you want to use in the documentation, and see the "Context:" section. If it says .htaccess, then that directive is valid in .htaccess. == How do I troubleshoot my .htaccess files? ==
