CHAPTER THREE - Managing Your Website with .htaccess
The ".htaccess" file can be placed in one or many of the directories in your virtual server. Traditionally this file has controlled access to the pages in a directory (thus the access part of the file name -- and this is what you get if you search the web for .htaccess). With the newer versions of Apache, some of the server configuration parameters are controllable from this file.
When your virtual server goes to hand out a file, it starts checking in the top directory for a .htaccess file, and then checks each subdirectory down to and including the directory that your file is in. Thus you can set the defaults for a virtual server by placing a .htaccess file in the top directory of that virtual server, or for multiple virtual servers at once by placing the file in your home directory (e.g. one directory above the top directories of all your virtual servers).
For example, the Redirect Directive is a nice simple way to push a browser over to a different page if you've re-organized your web-site :-)
If you moved a page in somedir from page1.htm to page2.htm then the appropriate line to add to your .htaccess file would be:
Redirect /somedir/page1.html http://your.domain/somedir/page2.html
The common error message is quite a bore:
File Not found
The requested URL /someone/mistyped/a/link.html was not found on this server.
But we've probably all run into a page like the following too:
Oops:
Oops! You've found a bad link! Please consider starting from our top page and working down to the page you were looking for.
Often these pages have a link back to the referering page, and might show you the URL that you tried to access. That is easily accomplished with a little CGI or PHP, but that's beyond the scope of this little resource page.
These pages are examples of Error Documents. The top table is the default, and the bottom table is an example of what you can replace it with. Most types of errors that the web server can run into have error numbers. For example "Not Found" is error 404. ( List of Errors below.) The specification of an error document is easy. You add "ErrorDocument", the three digits of the error number and the either the error string or the page to go to. The following examples show the three forms:
ErrorDocument 401 http://route66.net/nopasswd.html ErrorDocument 403 /forbidden.html ErrorDocument 404 http://route66.com/nofile.html
| Error in Client | |
|---|---|
| Number | Description |
| 400 | Bad Syntax |
| 401 | Unauthorized |
| 402 | Not Used (Payment Granted) |
| 403 | Forbidden |
| 404 | Not Found |
| Error in Server | |
| 500 | Internal Error |
| 501 | Not Implemented |
| 502 | Overloaded |
| 503 | Gateway Timeout |
You can add mime types to your .htaccess file with a line like:
AddType text/html .ttt
How do I secure all web pages in a directory?
If your home directory is yourlogin, create a file named .htaccess in your web directory that contains the following:
AuthUserFile /home/yourlogin/.htpasswd AuthGroupFile /dev/null AuthName ByPassword AuthType Basic <Limit GET POST> require user pumpkin </Limit>
Then in your home directory, type htpasswd -c .htpasswd pumpkin.
This will enable you to secure the directory so that only user pumpkin can enter this directory.
To add additional id/password pairs to the file, leave off the -c, which means 'create a new file'. For example, htpasswd .htpasswd linus. You may well want any of the user/password combinations you created in your .htpasswd file to allow access. Just say require valid-user instead of require user xxx in .htaccess and any of the users you created will be able to access the files.
Note that you want to store the .htpasswd file in your home directory so it is hidden from others. The one drawback to putting your .htpasswd file in your home directory is that you will have to slightly lower the security of your home directory. Go to /home (cd /home) and type chmod +x yourlogin. The WWW server needs execute permission on to read the .htpasswd file.
How do I create a secure password?
Make it at least 6 characters long. Include at least one number, capital letter, or punctuation mark in the name.
How do I create secure ftp directories?
To make a directory named direct that can only be accessed by userid fred, go to the directory above direct and type chown fred direct. If you wish for only fred to read and write in it, type chmod 700 direct. If you wish to allow others to read these files you can type chmod a+rx direct after typing the first command.
The above only works if you are fred. If you not, but fred is in your group, ask us to make a new group for you and fred, your2grp. Then you can chgrp your2grp direct, and chmod g=rwx direct. If you do not wish anyone else to be able to read these files, use chmod o-rx direct.
To list the access permissions of a file, type ls -l file, and for a directory, ls -ld directory. r=read access, x=execute access, w=write access. After the first letter or hyphen (for file type), the first three letters apply to you, the second three letters apply to your group, the last three letters apply to everyone else. Execute access enables you to run programs or enter directories.
Examples of using chmod:
PEOPLE PERMISSIONS u = the file's user (or owner) r = read access g = the file's group x = execute access o = others w = write access a = the user, the group, and others. chmod a+w = let everyone write to the file chmod go-r = don't let people in the file's group or others to read the file chmod g+x = let people in the file's group execute the file
How do I secure all CGIs and a CGI directory?
To stop people from being able to read your scripts under all circumstances, end your
CGI scripts with the name .cgi.