Site Access Controling Via Htaccess

What is .htaccess?
.htaccess is a configuration file for use on web servers running the Apache Web Server software. When an .htaccess file is placed in a directory which are in turn ‘loaded via the Apache Web Server’, then the .htaccess file is detected and executed by the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.

How to use .htaccess?

.htaccess is the filename not a file extension. You would not create a file called, ‘file.htaccess’, it is simply called, ‘.htaccess’. This file will take effect when placed in any directory which is then in turn loaded via the Apache Web Server software. It is placed in and all files and subdirectories within the specified directory. You can create an .htaccess file using any good text editor such as Text Pad, Ultra Edit and Microsoft WordPad and similar (you cannot use Microsoft Notepad).
It enables password protection on the directory; it offers redirection to a custom error page if a user fails to login correctly; and it enables SSI (server side includes) for use with ‘.html’ files. Once you have created an .htaccess file, you need to upload it. This should be done using a FTP (file transfer protocol) program. You should already have one which you will have used to upload your web site content. When uploading your .htaccess files, it is very important you upload the file in ‘ASCII’ mode. Upload the .htaccess file to the directory you would like it to take effect over. Now visit this directory using your web browser as you would for any other document on your web site and check it has worked correctly.

Note, when you upload your .htaccess file it may not appear in the directory listings for files on your web site. Do not worry; this means your server or FTP software is hiding them which should not be an issue.

A possible cause of error is if the file permissions on the .htaccess file are not set correctly. This only occurs on certain servers, but you may like to change the permissions on the file to ’755′ or ‘executable’.

PURPOSES

1. Deny visitors by IP address

The visitor blocking facilities of Apache Web Server enable you to deny access to some specific visitors, or allow access to other visitors. It’s useful for blocking unwanted visitors, or to only allow the web site owner access to certain sections of the web site, such as an administration area. To set-up visitors restrictions and blocking, create an .htaccess file following the main instructions and guidance which includes the following text:

Order allow, deny

Deny from 225.0.0.0

Deny from 116.55.7.

Allow from all

The above lines tell the Apache Web Server to block visitors from the IP address ’225.0.0.0′ and ’116.55.7.’,  note the second IP address is missing the fourth set of digits, this means any IP address which matches the first three set of digits will be blocked. To set-up blocking of all visitors except you, create a .htaccess file following the main instructions and guidance which includes the following text:

Order allow, deny

Allow from 225.0.0.0

Deny from all

The above lines tell the Apache Web Server to block all visitors except those with the IP address ’225.0.0.0′, which you should replace with your own IP address.

You may add any number of ‘deny from’ and ‘allow from’ records after the ‘order allow, deny’. Note the change from ‘allow from all’ to ‘deny from all’ on the bottom line, this is important and must be changed depending on your requirements. Blocked visitors will be shown a ’403 Forbidden’ error message. You can customize this error message by following the error documents.

2. Deny visitors by referrer

The visitor blocking facilities of Apache Web Server enable us to deny access to specific visitors based on where they have come from. If you’ve ever looked at your logs and noticed a surprising increase in traffic, yet no increases in actual file requests it’s probably someone pinching content (such as CSS files) or someone attempting to hack your web site (this may simply mean trying to find non public content).

Note this functionality requires that ‘mod_rewrite’ is enabled on your server. Due to the demands that can be placed on system resources, it is unlikely it is enabled so be sure to check with your system administrator or web hosting company.

To set-up block a single referrer, create an .htaccess file following the main instructions and guidance which includes the following text:

Rewrite Engine on

# Options +FollowSymlinks

RewriteCond %{Http_referer} wxyz\com[NC]

RewriteRule *-[F]

The above lines tell the Apache Web Server to block traffic from the URL ‘wxyz.com’. The ‘[NC]‘ text after the referrer specifies it as not case-sensitive. To set-up block multiple referrers, create a .htaccess file following the main instructions and guidance which includes the following text:

RewriteEngine on # Options +FollowSymlinks RewriteCond %{HTTP_REFERER} otherdomain\.com [NC,OR] RewriteCond %{HTTP_REFERER} anotherdomain\.com RewriteRule .* – [F]

You might have noticed the line “Options +FollowSymlinks” above, which is commented with a ‘#’. Uncomment this line if your server returns a ’500 Internal Server’ error. This means your server isn’t configured with FollowSymLinks in the ” section of the ‘httpd.conf’. Blocked referrers will be shown a ’403 Forbidden’ error message. You can customize this error message by following the ‘Error Documents’ section of this article.

3. Password Protection

The password protection and authentication systems of Apache Web Server are probably the most important use of .htaccess files. Very easily, we can password protect a directory (or multiple) of a web site which require a username and password to access. The login procedure for these secure directories is handled automatically by the web browser using a pop-up login interface (you’ve probably seen these before). Passwords are also encrypted using one of the best encryption methods available which ensures login credentials are kept secure. In this section we will discuss the details of the .htaccess authentication system, we will explain how to set-up password protection and a variety of helpful related information, we will also explain a variety of pre-made software which can be used to accomplish these tasks.

To begin, decide which directory you would like to password protect (note that all files and subdirectories within the directory will be password protected), then create a .htaccess file following the main instructions and guidance which includes the following text:

AuthName “Member’s Area Name” AuthUserFile /path/to/password/file/.htpasswd AuthType Basic require valid-user

The first line tells the Apache Web Server the secure directory is called ‘Member’s Area Name’; this will be displayed when the pop-up login prompt appears. The second line specifies the location of the password file. The third line specifies the authentication type, in this example we are using ‘Basic’ because we are using basic HTTP authentication and finally the fourth line specifies that we require valid login credentials, this line can also be used to specify a specific username, e.g. ‘require user username’ would require the username ‘username’. You would use this if you were password protecting an administration area, rather than setting up a public password protected directory.

The location of the password file can be anywhere on your web server, the ‘/location/of/password/file/’ must be replaced with the full/absolute path to the directory containing the password file, and the ‘.htpasswd’ file must exist, this can however be called anything. We use the filename ‘.htpasswd’ because the server will recognise the filename and will hide it from visitors. Note, some servers do require the password file be located in the same directory as the .htaccess file. It is also important to use a full/absolute server path for the location of the password file, a relative path, or any variation of a URL will not work.

The password file would contain something similar to the following text:

username:encryptedpassword 3d_mick:7du0oAV%i*g2

Now, you cannot just make up the password, on Unix/Linux servers they must be encrypted by the server, on Windows servers you do just use a plain text password as Windows does not offer any encryption methods. You can have any number of user records in your password file, one account per row, separating the username and password with a colon.