SCS Computing
 Services and Solutions
  links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 » How to… 
 » Accounts & passwords 
 » AFS 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Support lifecycle 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

Using .htaccess files

The SCS web servers, like other web servers running Apache web server software, use files named .htaccess (this is the full name of the file, not an extension) to control how a web server can access files in a directory. .htaccess files are plain text files that you can create and edit with any text editor. They contain instructions to the web server concerning who can access files, along with optional other directives.

.htacess files just apply to file access by the SCS web servers. They do not restrict access to files via ordinary AFS file access.

How .htaccess files are used by the web server

When a web server tries to access a file in a directory, for example, /afs/cs/user/bovik/www/index.html it checks every directory in the path to that file (including the directory the file is in) for a .htaccess file. If it does not find one, the web server will not be able to access the file. If it finds a .htaccess file, it uses the directives in that file to control access. Note that later .htaccess files override earlier ones. In the example above, a .htaccess file in /afs/cs/user/bovik/www would override a .htaccess file in /afs/cs/user/bovik.

Note: .htaccess files must be readable by the web servers in order for them to work. This means that the directories containing .htaccess files must have an "wwwsrv:http-ftp rl" AFS ACL (or an even more liberal ACL, such as "system:anyuser rl". See the documentation on special AFS groups for additional information on these groups).

Examples of .htaccess files

The examples below show the complete contents of .htaccess files that have the indicated effects. Be careful when writing .htaccess files. There should be no whitespace between the "deny" and "allow", just a comma.

  • To allow web access of files from anyone:
    Order allow,deny
    allow from all
  • To only allow web access from and hosts:
    order deny,allow
    deny from all
    allow from
    IndexIgnore .htaccess
  • To only allow web access from the specific hosts and
    order deny,allow
    deny from all
    allow from
    IndexIgnore .htaccess

See our documentation on password protecting web pages for examples of how to use .htaccess files to require people to give a password when accessing pages.