By default, our web server will display a list of files in a
directory if there is no index.html, index.cgi
or other index file present. Some users feel this gives out too
much information about the contents of their web sites. To turn
this option off, create a file in your .www directory
called .htaccess if one doesn't exist. Then, add the
following line to it:
Options -Indexes
Be sure that your .htaccess file is world-readable. To do this, run
the following command from your home directory:
chmod a+r .www/.htaccess
A common question from our users is how to restrict a personal web page so that
only certain people have access to it. This document describes the simplest
way of accomplishing this goal, by creating a .htaccess file in your home
directory that tells the web server to only allow access to people who you've
given a username and password. This file assumes you have already created
your home page as described in the Creating Your Homepage document.
You can restrict access to a directory tree
by creating an .htaccess file within the root of the tree. Below
is a sample .htaccess file. To create your own, cut and paste
this text into a file called .htaccess in your .www directory. For example,
with pico, you would type:
% pico ~/.www/.htaccess
Then cut and paste the following text into the pico editor and exit pico:
AuthUserFile /home/xyz/username/.www/.htpasswd
AuthType Basic
AuthGroupFile /dev/null
AuthName "Site Authentication"
<Limit GET POST>
order allow,deny
allow from all
require valid-user
</Limit>
The "require valid-user" will require that any user accessing this directory
will need to enter a username and password. These username/password
pairs are stored in a separate file specified by the "AuthUserFile"
directive. Generally this file is called .htpasswd. Make sure
that the /home/xyz/username/.www/.htpasswd above is replaced with the
full Unix path to the .htpasswd file you create.
The .htpasswd file can be created with the
htpasswd command. To use the htpasswd program, use the following command
htpasswd --userid testuser
This program will create a username and encrypted password pair that will be added to the .htpasswd file you defined in the AuthUserFile directive of your .htaccess file.
If you can not find a machine with htpasswd installed, you can use an
online htpasswd generator.
This will create the username and password pair that you can then copy and paste into your .htpasswd file.
Please note, the authentication method used here sends passwords in the clear, you should
not use your IT Labs or CS password in the .htpasswd file. Choose a different
password and be aware that there is some chance of your password being intercepted by malicious hackers.
You can add as many usernames and passwords to the .htpasswd file as you like
using this method. When a user tries to access the directory containing
the .htaccess file, he/she will be prompted to enter a username and password.
Only if he/she enters a valid username and password will access to the site
be granted.
The web server runs as user "www", an unprivileged user, just like you, so
you must make sure the file permissions are set such that any normal user can
read the .htaccess and .htpasswd files. The passwords are encrypted, so this isn't
a problem if you choose good passwords. Also make sure the permissions on the
directory are at least world executable. If you aren't sure about the above,
do the following. (This assumes that your .htpasswd file is in the same directory as your .htaccess file.)
% cd ~/.www
% chmod 701 .
% chmod 644 .htaccess
% chmod 644 .htpasswd
This document covers only the most rudimentary aspects of authentication and access control.
Full information is available from the
Apache Tutorial for .htaccess files or
Apache's Authentication documentation.
Note: If you want to restrict access to a subdirectory, place the
.htaccess file in that subdirectory rather than the document
root. Consult apache documentation at
www.apache.org for more
information.
