Set up .htaccess & Permissions
Disabling directory listing
By default, our web server will display a list of files in a directory if there is no index.html, index.cgi or other index file present. Some users feel this gives out too much information about the contents of their web sites. To turn this option off, create a file in your .www directory called .htaccess (if one doesn't already exist). Add the following line to .htaccess:
Be sure that your .htaccess file is world-readable. To do this, run the following command from your home directory:
chmod a+r .www/.htaccess
Apache Access Control
Our users often ask how to restrict access to a personal webpage to only certain, approved visitors. This section describes the simplest way of accomplishing this goal: creating a .htaccess file in your home directory that tells the web server to only allow access to people to whom you've given a username and password. These instructions assume you have already created your home page as described in Creating Your Homepage.
You can restrict access to a directory tree by creating a
.htaccess file within the root of the tree. Below is a sample
.htaccess file. To create your own, cut and paste this text into a file called .htaccess in your .www directory. For example, with pico, you would type:
% pico ~/.www/.htaccess
Then cut and paste the following text into the pico editor and exit pico:
AuthName "Site Authentication"
<Limit GET POST>
The "require valid-user" will require any user accessing this directory to enter a username and password. These username/password pairs are stored in a separate file specified by the "AuthUserFile" directive. Generally this file is called
.htpasswd. Make sure that the /home/xyz/username/.www/.htpasswd above is replaced with the full UNIX path to the .htpasswd file you create.
.htpasswd file can be created with the htpasswd command. To use the htpasswd program, use the following command:
htpasswd --userid testuser
This program will create a username and encrypted password pair that will be added to the .htpasswd file you defined in the AuthUserFile directive of your .htaccess file.
If you can not find a machine with htpasswd installed, you can use the CS&E Password Hash Generator. This will create the username and password pair that you can then copy and paste into your .htpasswd file.
Please note, the authentication method used here sends passwords as plain, unencrypted text. You should not use your CS&E or CSE Labs password in the .htpasswd file. Choose a different password and be aware that there is some chance of your password being intercepted by malicious hackers.
You can add as many usernames and passwords to the .htpasswd file as you like using this method. When a user tries to access the directory containing the .htaccess file, they will be prompted to enter a username and password. Only once they enter a valid username and password will access to the site be granted.
The web server runs as user "www", an unprivileged user, just like you, so you must make sure the file permissions are set such that any normal user can read the
.htpasswd files. The passwords are encrypted, so this isn't a problem if you choose good passwords. Also make sure the permissions on the directory are at least world executable. If you aren't sure about the above, do the following. (This assumes that your .htpasswd file is in the same directory as your .htaccess file.)
% cd ~/.www
% chmod 701 .
% chmod 644 .htaccess
% chmod 644 .htpasswd
This document covers only the most rudimentary aspects of authentication and access control. Full information is available from the Apache Tutorial for .htaccess files or Apache's Authentication documentation.
Note: If you want to restrict access to a subdirectory, place the .htaccess file in that subdirectory rather than the document root. Consult apache documentation at www.apache.org for more information.