docs.roxen.comView this page in a printer friendly mode
DocsRoxenWebServer 3.3Web Developer ManualSecurity
Copyright  2004, Roxen Internet Software
Suggestions, comments & compliments



A .htaccess file consists of lines containing directives. Apart from the Limit; directive, all directives have the form

directive argument(s)

where argument(s) is one or more arguments. The directives supported are:


Use this user and password file to authenticate users. Typically, the AuthUserFile is called .htpasswd


Use this group file, which contains a database of which groups users are member of. Typically, the AuthGroupFile is called .htgroup, if used.


Set the authentication realm, which can be any name you choose. The name will be used to tell browsers how to label user authentications within a session, so that the browsers can automatically repeat passwords the user has already entered when accessing new pages with the same access requirements.


Redirect all accesses for pages in the directory to this URL.


Show this page in case the requested page could not be found, maybe because the user did not have permission to view it.

Then there is the <Limit> container tag. The attributes are the HTTP method(s) that access should be limited to, GET, PUT, POST or HEAD. The contents of the tag are access control directives, one directive on each line. Possible directives are:

allow|deny from URL

Allow or deny access to users from a DNS domain or IP number. means the computer while means all computers on the domain The same way means the computer while 194.52. means the net starting with 194.52

require user|group user(s)|group(s)

Allow access only for the named user(s) or group(s).

require valid-user

Allow access to any user present in the AuthUserFile or Authentication module.

satisfy all|any

Decide what happens if both require and allow rules are present; all indicates that the user must satisfy both kinds of requirements, while any means that it is enough that the user satisfies either kind.

order deny,allow|allow,deny|mutual-failure

The order rules decides how to prioritize deny and allow rules. If the order is set to deny,allow, deny rules will be processed before allow rules. With allow,deny, allows will be processed before denies, and with mutual-failure, hosts allowed by any allow rule will be allowed, and other hosts denied. Deny,allow is the default.

The rule evaluation does not stop until all rules have been processed, so the earlier a rule is processed, the lower priority is has in determining access. This only matters when different rules contradict each other, for instance when a wide-ranging deny rule forbids access to a certain domain, and an allow grants access to a smaller part of the domain.


A typical .htaccess file would look something like this:

AuthUserFile /home/frotz/.htpasswd
AuthGroupFile /home/frotz/.htgroup
AuthName MyTestDomain
AuthType Basic

require user frotz

<Limit GET>
allow from all

The .htaccess file above would allow everyone to GET documents in the directory, but all other kinds of access would be restricted to the user frotz, and expect this user to login with the password listed for frotz in the .htpasswd file in the home directory of the user frotz.