Using .htaccess files
The SCS web servers, like other web servers running Apache web server software, use files named .htaccess (this is the full name of the file, not an extension) to control how a web server can access files in a directory. .htaccess files are plain text files that you can create and edit with any text editor. They contain instructions to the web server concerning who can access files, along with optional other directives. .htaccess files are also understood to a small extent by the a SCS anonymous FTP servers.
.htacess files just apply to file access by the SCS web servers. They do not restrict access to files via ordinary AFS file access.
How .htaccess files are used by the web server
When a web server tries to access a file in a directory, for example, /afs/cs/user/bovik/www/index.html it checks every directory in the path to that file (including the directory the file is in) for a .htaccess file. If it does not find one, the web server will not be able to access the file. If it finds a .htaccess file, it uses the directives in that file to control access. Note that later .htaccess files override earlier ones. In the example above, a .htaccess file in /afs/cs/user/bovik/www would override a .htaccess file in /afs/cs/user/bovik.
Note: .htaccess files must be readable by the web servers in order for them to work. This means that the directories containing .htaccess files must have an "wwwsrv:http-ftp rl" AFS ACL (or an even more liberal ACL, such as "system:anyuser rl". See the documentation on special AFS groups for additional information on these groups).
How .htaccess files are used by the anonymous FTP servers
The SCS anonymous FTP servers understand a very limited subset of .htaccess directives. If the FTP server encounters a directive it does not understand, it will ignore the .htaccess file containing that directive. See our documention on using anonymous FTP to serve files for more information.
If you do not wish to have your web space accessible via anonymous FTP, it is suggested that you put a directive in your .htaccess file that the FTP server does not understand. For example, the directive:
Important note: The SCS anonymous FTP servers will always be able to list the names of files in a directory, no matter what the .htaccess file contains. The only way to stop this is to user AFS ACLs to restrict access from the anonymous FTP & web servers.
Examples of .htaccess files
The examples below show the complete contents of .htaccess files that have the indicated effects. The examples where you wish to restrict access to particular hosts/domains contain the line "IndexIgnore .htaccess" to prevent access of file contents by the SCS anonymous FTP servers. Be careful when writing .htaccess files. There should be no whitespace between the "deny" and "allow", just a comma.
- To allow web access of files from anyone:
Order allow,deny allow from all
- To only allow web access from .cs.cmu.edu and .ri.cmu.edu hosts:
order deny,allow deny from all allow from .cs.cmu.edu .ri.cmu.edu IndexIgnore .htaccess
- To only allow web access from the specific hosts foo.cs.cmu.edu and bar.cs.cmu.edu:
order deny,allow deny from all allow from foo.cs.cmu.edu bar.cs.cmu.edu IndexIgnore .htaccess
See our documentation on password protecting web pages for examples of how to use .htaccess files to require people to give a password when accessing pages.