Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by jink: http://wiki.apache.org/httpd/ScratchPad/htaccess The comment on the change is: fixed up some stuff ------------------------------------------------------------------------------ Not really; .htaccess files '''''can''''' be used to provide password protection the same way the main configuration files can be used to provide password protection; there is nothing special about .htaccess for this purpose. - === Does it have to be called .htaccess === + === It has to be called .htaccess === - Nope, you can define its name through the [http://httpd.apache.org/docs/2.0/mod/core.html#accessfilename AccessFileName] directive. It isn't recommended practice, though, especially if you'll provide shared hosting or something similar where unknown people will have web space and expect .htaccess files to be supported. + No, you can define its name through the [http://httpd.apache.org/docs/trunk/mod/core.html#accessfilename AccessFileName] directive. It isn't recommended practice, though, especially if you'll provide shared hosting or something similar where uninformed people will have web space and expect .htaccess files to be supported. == When should I, and should I not use .htaccess files? == + Allowing .htaccess files will make Apache look for them upon every access to your server. Since parent directories are searched as well, this will take some (small) amount of time, and can impact your server's performance. + For a better explanation, see ["ScratchPad/htaccessGotchas"]. (move that explanation here?) + === Should use === - .htaccess files should really only be used when you cannot directly edit the main configuration files! + .htaccess files should really only be used when you cannot directly edit the main configuration files. - - Using .htaccess files will cause Apache to search for them in every directory it recurses into every time the .htaccess - containing directory is accessed, for a better explanation, see ["ScratchPad/htaccessGotchas"]. (move that explanation here?) === Should not use === You should not use .htaccess when: - 1. When you have access to edit the main server configuration file(s) + 1. you have access to edit the main server configuration file(s). - 1. When server performance is of concern to you. + 1. server performance is of concern to you. - 1. When untrusted people host websites on the server. (See How can I prevent users from using .htaccess? and How can I control what users can do with .htaccess files? (How to link to headings of this doc????) ) + 1. untrusted people host websites on the server. (See How can I prevent users from using .htaccess? and How can I control what users can do with .htaccess files? (How to link to headings of this doc????) ) == How can I create a new .htaccess file? == - Use your favourite editor to create a .htaccess file in the folder where you want it to take affect. + Use your favourite editor to create a .htaccess file in the folder where you want it to take effect. Make sure that the file can be read by Apache's UID. == What can I do with my .htaccess file? == - .htaccess files are containers for subset of Apache directives. .htaccess files apply only to the directory that they are placed in and all its descendants. + .htaccess files are containers for a subset of Apache directives. .htaccess files apply to the directory they are placed in and all its descendants. I.e. a .htaccess file in /path/to/site, will apply to that directory, but to /path/to/site/images too! This means you can think of .htaccess files as dynamically adding the following to the master Apache configuration: {{{ - <Directory /path/to/folder-with.htaccess> + <Directory /path/to/site> - #.htaccess content goes here + # .htaccess content goes here </Directory> }}} - You must place the .htaccess file in the directory where you want it to effect changes. For example if you want to use a .htaccess file to force authentication for http://www.example.com/admin + You must place the .htaccess file in the directory where you want it to take effect. For example if you want to use a .htaccess file to force authentication for http://www.example.com/admin, and your !DocumentRoot is set to /var/www/html/www.example.com, you would place the .htaccess file in /var/www/html/www.example.com/admin . + === So, what can I use? === - If your !DocumentRoot is - {{{ - /var/www/html/www.example.com - }}} + You can put in a .htaccess file any Apache directive that the administrator chooses to enable, from the subset of directives that Apache supports in .htaccess files. This works by setting the !AllowOverride directive correctly. - Then you would place your .htaccess file in - {{{ - /var/www/html/www.example.com/admin - }}} - === That's ok, but what CAN I do? === + To check what the administrator enabled, contact them or your hosting provider, or just try. - You can put in a .htaccess file any Apache directive that the administrator chooses to enable, from the subset of directives Apache itself supports in .htaccess files, by setting the !AllowOverride directive correctly. + To check what directives Apache supports in .htaccess files, look for the directive you would like to use in the documentation and check out the [http://httpd.apache.org/docs/trunk/mod/directive-dict.html#Context Context:] section. If it says .htaccess, then that directive is valid in .htaccess, unless it has been disabled by the administrator. + An example. Let's suppose you really must use .htaccess files and that you want to password protect the location we talked about above, located at /var/www/html/www.example.com/admin. A .htaccess file for that task should look like: - To check what the administrator enabled, contact her or your hosting provider, or just try. - - To check what directives Apache supports in .htaccess files, find the directive you would like to use in a .htaccess file in the documentation and check out the "Context:" section. If it says .htaccess, then that directive is valid in .htaccess, although it could have been disabled by the administrator, of course. - - Ok, an example. Let's suppose you really must use .htaccess files; and that you want to password protect the site we talked about above, located at /var/www/html/www.example.com/admin. A .htaccess file for that task should look like: '''/var/www/html/www.example.com/admin/.htaccess''' {{{ @@ -84, +74 @@ AuthUserFile /etc/htpasswds/.htpasswd.example.com Require valid-user + Order deny,allow - Order allow,deny - Allow from all }}} == How can I control what users can do with .htaccess files? == - By setting AllowOverride properly in the proper <Directory> directive. See [http://httpd.apache.org/docs/trunk/mod/core.html#allowoverride AllowOverride] docs. + By setting AllowOverride in the proper <Directory> directive. See the [http://httpd.apache.org/docs/trunk/mod/core.html#allowoverride AllowOverride] documentation. == But, I really dislike having all the directives in one huge config file, and .htaccess files help me with that! == + This is not a valid reason, since you can use [http://httpd.apache.org/docs/2.2/mod/core.html#include Include]. + + ---- + (I suggest moving this part to its own section) You can use the Include directive to alleviate that if it really bothers you! Let's see how. We'll suppose you dislike huge config files and that, for instance, you want to provide password authentication for all your virtual hosts. You could put a .htaccess in the root of each virtual host, or you could create a @@ -118, +111 @@ }}} And so on for the rest of your virtual hosts. + (end of suggest) + ---- == How can I prevent users from using .htaccess? == - In your main server config, place the following in your top-level <Directory> block. i.e. + In your main server config, place the following in your top-level <Directory> block. E.g. {{{ <Directory /var/www/html> - ... + # ... other directives - AllowOveride None + AllowOveride None - ... + # ... other directives </Directory> }}} - ''Remember the aplication of a <Directory> block is recursive. So if you set it at the top level is will apply to all sub-directories unless explicity reversed through a different <Directory> directive.'' + ''Remember the application of a <Directory> block is recursive. So if you set it at the top level is will apply to all sub-directories unless explicity reversed through a different <Directory> directive.'' == How do I troubleshoot my .htaccess files? ==
