Using .htaccess files
The SCS web servers, like other web servers running Apache web server software, use files named .htaccess (this is the full name of the file, not an extension) to control how a web server can access files in a directory. .htaccess files are plain text files that you can create and edit with any text editor. They contain instructions to the web server concerning who can access files, along with optional other directives.
.htacess files just apply to file access by the SCS web servers. They do not restrict access to files via ordinary AFS file access.
How .htaccess files are used by the web server
When a web server tries to access a file in a directory, for example, /afs/cs/user/bovik/www/index.html it checks every directory in the path to that file (including the directory the file is in) for a .htaccess file. If it does not find one, the web server will not be able to access the file. If it finds a .htaccess file, it uses the directives in that file to control access. Note that later .htaccess files override earlier ones. In the example above, a .htaccess file in /afs/cs/user/bovik/www would override a .htaccess file in /afs/cs/user/bovik.
Note: .htaccess files must be readable by the web servers in order for them to work. This means that the directories containing .htaccess files must have an "wwwsrv:http-ftp rl" AFS ACL (or an even more liberal ACL, such as "system:anyuser rl". See the documentation on special AFS groups for additional information on these groups).
Examples of .htaccess files
The examples below show the complete contents of .htaccess files that have the indicated effects. Be careful when writing .htaccess files. There should be no whitespace between the "deny" and "allow", just a comma.
- To allow web access of files from anyone:
Order allow,deny allow from all
- To only allow web access from .cs.cmu.edu and .ri.cmu.edu hosts:
order deny,allow deny from all allow from .cs.cmu.edu .ri.cmu.edu IndexIgnore .htaccess
- To only allow web access from the specific hosts foo.cs.cmu.edu and bar.cs.cmu.edu:
order deny,allow deny from all allow from foo.cs.cmu.edu bar.cs.cmu.edu IndexIgnore .htaccess
See our documentation on password protecting web pages for examples of how to use .htaccess files to require people to give a password when accessing pages.