# Htaccess

HTACCESS PROTECTION OF WEB DATA ON COXETER

This help page describes how to restrict access to a web directory either by means of a password or by restricting access to certain machines using htaccess. The directions will lead to the creation of three files (.htaccess, .htgroups and .htusers) in the directory to be protected. The first two of these are created using your editor by adjusting the samples presented below. The .htusers file is created automatically using the htpasswd command below.

## Creating the .htaccess file

Below is a sample .htaccess file for user "jones" to protect the subdirectory "private"; where access is to be restricted via a password. The .htaccess file would be the file, "/www/jones/private/.htaccess".

 

 #------begin sample .htaccess file------------------------------------- AuthName "MY SPECIAL FILES" AuthType Basic AuthUserFile /www/jones/private/.htusers AuthGroupFile /www/jones/private/.htgroups <Limit GET> require group GROUPNAME </Limit> #--------end sample .htaccess file------------------------------------ 

This sample will need to be adjusted for the directory you wish to protect.

The "AuthName" gives the string that will be used when requesting the password, that is, the user will see (using the above sample file):

    Enter username for MY SPECIAL FILES at www.math.toronto.edu:


## Creating the .htgroups file

The /www/jones/private/.htgroups file (which is also created with your favourite editor) could contain a single line:  

 GROUPNAME: user1 user2 

## Creating the .htusers file

The .htusers file is created by running (on coxeter):  

 touch /www/jones/private/.htusers htpasswd -s /www/jones/private/.htusers user1 htpasswd -s /www/jones/private/.htusers user2 

Of course if you only need one user/password for access then that will simplify the .htusers file slightly.

Following these instructions, the /www/jones/private/.htusers file would contain the two lines:

 

 user1:{SHA}PaVBVZkYqAjCQCu6UBL2xgsnZhw= user2:{SHA}kkKdgqQekwSGxt5evalgLVXDmYY= 

...with the password information encrypted in the long strings.

With things set up as described about when people try to access http://www.math.toronto.edu/jones/private/ (this URL is not currently valid, it is just an example) they will be prompted for a username and password. Note the trailing "/" in the URL (sometimes called a "web address") on the previous line. If you don't use the trailing "/" and you don't have an index.html file in your protected directory then people trying to visit your page will be asked twice for the username and password.

If you want to allow access only from specific places (for example within our departmental network) then you can create a .htaccess file similar to the following:

 

 #-------------------------------------------- <Limit GET> order deny,allow deny from all allow from .math.toronto.edu allow from .math.utoronto.ca </Limit> <Limit POST> order deny,allow deny from all </Limit> #-------------------------------------------- 

Note that htaccess distinguishes between utoronto.ca and toronto.edu and to be on the safe side include both.

## DON'T FORGET

Finally, you need to send email to "requests@math.toronto.edu" asking that your .htusers file (please specify the exact location of the file, including the directory you put it in) be properly protected.

## Much more

One can use .htaccess to change MIME type of some files. Example:

<FilesMatch "\.djvu$"> ForceType image/x-djvu </FilesMatch>  Here instead of "\.djvu$" could be any regular expression, and instead of image/x-djvu any MIME type

Another example: you have a php file with graphics output and you want to refer to this file in the remote bulletin board which however would not allow reference to file with extension php. You rename it into foo.jpg and to be processed as php on sever side you put in .htaccess

<FilesMatch "foo\.jpg\$"> ForceType application/x-httpd-php </FilesMatch>