Most people want their Web pages to simply be available to all browsers. When your account is created, this is the default setting for you site. However, you may decide to restrict access to some subdirectories. Perhaps you have some "private" company pages that only employees should see. Or maybe you are charging a fee for access to some parts of your site. Regardless of the reason, controlling access to your Web directories is easy to do. You can also control access to your site through the use of several types of Redirections.

• Introduction
• Limiting Access by Domain
• Turning Directory Indexes On/Off
• Limiting Access by Username & Password
• Protecting Directories from Everyone
• Redirecting access

Access to your directories through the Web server is controlled with a file named ".htaccess", which is in your "WWW" directory. A defult .htaccess file may have been created when your accound was created. It's contents are as follows:

The meaning of this file is to allow Web requests from "all" domains. No authentication is required, and it doesn't matter from which Internet address the request originates.

Note:

The access control of a directory is specified either explicitly by a ".htaccess" file in that directory or inherited from its parent directory. That is, if you create a subdirectory called "manuals" in your "www" directory, then by default the "manuals" subdirectory will have the same access control setup as specified by the ".htaccess" file in "www".

To restrict access to a subdirectory based on the domain from which the user is requesting the page, you need to create a new .htaccess file in that subdirectory. The file should look like one of the following examples:

What does all this mean?

The first example, denying access to a domain, tells the Web server to refuse access to the directory to anyone who is coming from a domain containing netscape.com. Everyone but users from netscape.com will be allowed access. The second example does the reverse. It tells the server to only allow access to people from netscape.com; all others are refused. For your own site, simply replace netscape.com with the domain you want to accept or refuse.

Directory Indexes are FTP-like listings of the files in a Web directory. By default, this is turned ON for your Web site. What this means is that if someone goes to a URL for your site that does not specify a filename (e.g. http://www.scc.net/), then the server will look for a file named "index.html", "index.htm", in that order. If it does not find any of these files, then the user will see a list of files. If you do not want to allow direct access to a directory's files, you can bypass this behavior with an empty index.html file. Simply upload with ftp an empty file, or from the unix prompt you can create an empty file with this command.

Creating the .htaccess file

You can also control access to a directory on a per-user basis. The first step is to create the proper ".htaccess" file. An example is given below.

This .htaccess file contains three new parameters: "AuthType", "AuthName", and "AuthUserFile". The first two simply describe the authentication you are using. Use "Basic" for the AuthType and something descriptive for the "AuthName". The AuthUserFile parameter specifies the name of the file in which to look for valid users. This should be the full name of the file, including the path. The example given is for a file named "passwd" in the subdirectory named "private" in the Web area for a user named "mycompany".

IMPORTANT: The password file itself (passwd in the example above) should not be in a Web-accessible directory, particularly not the protected file itself. Also, you should not turn on Directory Indexes for the directory containing your password file, or for the limited-access directory (which contains the .htaccess file naming the password file).

Creating the Username/Password file

Once the .htaccess file is set up, you need to create the password file with the usernames and passwords you want to allow access to the directory. This is accomplished with a program called htpasswd. Go to the directory where you want to create the password file (for the example, the subdirectory "www/private" for user "mycompany"). Then type the command:

Where "passwdfile" is the name of the file you want to create and "username" is the name of the user you want to add to the file. You will be prompted for that user's password. The password is encrypted before storing it in the file, so you won't be able to recover it by reading the password file.

You subdirectory can now only be accessed by people who know a valid username and password. To add additional usernames to the file, simply type "htpasswd passwdfile username" (i.e. the same as before but without the "-c"). To remove usernames, delete the line in the file containing that name.

Files in your www area may not be read by other users, except through Web browsers. If you want to prevent this type of access as well (and create a truly "private" file or subdirectory) you use the "chmod" (for CHange MODes). To set a file or directory so that only you can read it, type the line:

This removes ("-") the Read, Write and eXecute privileges for Groups and Others. Only the User who owns the file can now read it. If you want everyone in your Group to be able to read the file, but not Others, use "chmod o-rwx filename" instead.

Note:

A file must be readable by "others" if you want them to be viewable through the Web server. To make a (previously protected) file or directory available over the Web, type