About .htaccess Files

by Piet Vloet

Each directory can contain a file named ".htacess" that controls access to the pages in that directory. This depends on the files

Description of the .htaccess file:

Each line begins with a keyword with one or more arguments. A keyword is case insensitive. Also comment lines, a line starting with a '#', and blank lines are allowed.

Keywords for .htaccess

AuthType             <type>
                     Which Authentication mechanism to use
                     type  ::  Basic | Digest

AuthName             <name>
                     Text displayed in password prompt from the browser
                     name  ::  <ASCII>

AuthUserFile         <filename>
                     Reference to user file, inclusive path (See below)

AuthGroupFile        <filename>
                     Reference to group file, inclusive path (See below)

Limit                <op>
                     List of operations     
                     op    ::  "GET|POST|.."


The following Keywords should be enclosed by the keywords "Limit" and "/Limit": Require, Order, Deny, Allow

USER and/or GROUP protection

Require              <key value>
                     key   ::  "user|group"
                     value ::  "<username>|<groupname>"
                     "value" must be specified in the AuthUserFile or AuthGroupFile

NETWORK based protection

In the case "allow" and/or "deny" is specified, order must be specified too!

Order                <value,value>
                     value ::  "allow|deny"

Deny                 <args>
                     args  ::  "[from] {fully qualified network}* | all"

Allow                <args>
                     args  ::  "[from] {fully qualified network}* | all


The AuthUserfile file "passwd" has this format:


The generation of encrypted passwords is support by the tcl package "crypt". On unix you can copy e.g. an entry from the "passwd"/"shadow" file to the AuthUserFile however since Basic authentication sends passwords in the clear, doing so can expose your system to password sniffing attack.

The AuthGroupFile file "group" has this format:



HomeStatusLearnCGI TestsTemplatesAccess ControlReference Manual