A .htaccess file consists of lines containing directives.
Apart from the Limit; directive, all directives have the form
where argument(s) is one or more arguments. The directives
- Use this user and password file to
authenticate users. Typically, the AuthUserFile is called
- Use this group file, which contains a
database of which groups users are member of. Typically, the
AuthGroupFile is called .htgroup, if used.
- Set the authentication realm, which can be
any name you choose. The name will be used to tell browsers how to
label user authentications within a session, so that the
browsers can automatically repeat passwords the user has already
entered when accessing new pages with the same access requirements.
- Redirect all accesses for pages in the
directory to this URL.
- Show this page in case the requested page
could not be found, maybe because the user did not have permission to
Then there is the <Limit> container tag. The attributes are
the HTTP method(s) that access should be limited to, GET,
PUT, POST or HEAD. The contents of the tag are
access control directives, one directive on each line. Possible
- allow|deny from URL
Allow or deny access to users from
a DNS domain or IP number. www.roxen.com means the computer
while .roxen.com means all computers on the domain
roxen.com. The same way 22.214.171.124 means the
computer while 194.52. means the net starting with
- require user|group user(s)|group(s)
Allow access only for the named user(s) or group(s).
- require valid-user
- Allow access to any user present
in the AuthUserFile or Authentication module.
- satisfy all|any
Decide what happens if both require and
allow rules are present; all indicates that the user
must satisfy both kinds of requirements, while any means that
it is enough that the user satisfies either kind.
- order deny,allow|allow,deny|mutual-failure
The order rules decides how to prioritize deny and allow rules.
If the order is set to deny,allow, deny rules will be processed
before allow rules. With allow,deny, allows will be processed
before denies, and with mutual-failure, hosts allowed by any
allow rule will be allowed, and other hosts denied.
Deny,allow is the default.
The rule evaluation does not stop until all rules have been
processed, so the earlier a rule is processed, the lower priority is
has in determining access. This only matters when different rules
contradict each other, for instance when a wide-ranging deny rule
forbids access to a certain domain, and an allow grants access to a
smaller part of the domain.
A typical .htaccess file would look something like this:
<Limit PUT HOST HEAD>
require user frotz
allow from all
The .htaccess file above would allow everyone to GET
documents in the directory, but all other kinds of access would be
restricted to the user frotz, and expect this user to login with the
password listed for frotz in the .htpasswd file in the home
directory of the user frotz.