WHAT IS .HTACCESS?
.Htaccess is a small text file that control configuration aspects of an Apache web server.  Most people are familiar with the .htaccess file in relation with the ability to restrict access to a directory via password protection.  However, .htaccess can do a lot more than password protection.  .Htaccess is an extremely powerful configuration tool that can customize the way your web site behaves and how your web server handles requests. 

You can create as many .htaccess files as you wish for your website.  you can have one in every directory if you like.  However, .htaccess will control the directory it is placed in, as well as all the directories which are in the directory that the .htaccess file resides.  For that reason, many people just bother with one .htaccess file, and that would be the .htaccess file located in the root directory.  Of course, if you are password protecting a directory, you would want to place a .htaccess file in the directory you'd be password protecting, assuming that it wasn't your root directory.
.HTACCESS AUTHENTICATION TUTORIAL
Sometimes it is necessary to have a directory of your website off limits to the general public.  Perhaps you have an area that is members only, or maybe you have an administrative area that you don't want other messing with.  Using the .htaccess file in tandem with the .htpasswd file, you can restrict access to that are of your site.  If a visitor tries to access that particular area, they will be prompted for a username and password, and will not be allowed access until they can provide the proper username/password combination.

To set up password protection on one of your directories you will need to be able to telnet into your web server.  Although, telnet access isn't required and their are work arounds, this tutorial will only cover password protection setup via the telnet method.

Below is an example of a simple .htaccess file:

AuthUserFile /path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Stuff"
AuthType "Basic"

<Limit GET POST>
require valid-user
</Limit>

The .htaccess file will affect any directory it is placed in and override the pre-configured server settings.   Additionally, the .htaccess file affects folders recursively.  For example, if you password protect a folder on your website located at http://www.website.com/restricted/ by placing this .htaccess in your restricted directory, not only will the folder restricted be password protected, so will all the files and folders within the restricted directory. 

Back to the .htaccess file.  The first line, beginning with AuthUserFile tells the web server where it should look to find the username/password file.  You will need to change the /path/to/... to reflect the path to your password file.  Keep the file name as .htpasswd.  The next line down, AuthGroupFile, is similar to the AuthUserFile, but instead of being a list of username/passwords, the AuthGroupFile outlines specific groups that have access to this directory.  We'll talk more about restricting group access in a later tutorial.  For now, by setting the AuthGroupFile to /dev/null the server interprets that there are no groups restricted.

The next line, AuthName is customizable and can be set to display a message or describe the area that someone is logging into.  As you can see from the password dialog box above taken from IE5, anything that is included on the AuthName line will appear in the Realm line. The require valid-user line in the .htaccess can be left as is.

Now it's time to create the .htpasswd file.  The .htpasswd file is a list of all the usernames/passwords that have access to the restricted directory.  You will need to telnet into your web server and change into the directory where you told the AuthUserFile line of the .htacess file where the .htpasswd file could be found.  To create and new .htpasswd file type at the command prompt, being sure to change johndoe to be the username of the account you want to add to the .htpasswd file:

htpasswd -c .htpasswd econ120c

You will be prompted for a new password to assign to johndoe, once you enter it in, you will be prompted to verify it again.  If you need to add additional usernames/password, you can enter in the same command above, without the -c switch.  The -c switch is used only to create a new .htpasswd file.  For example to add econ120c to your .htpasswd file you would type in and then follow the prompts for entering in the password:

htpasswd .htpasswd econ120c

Passwords are encrypted in the .htpasswd file.  A standard .htpasswd file will look something like this:

econ120c:rngxrrnRhGdFo
econ120c:3lmIn9MHfWkKc

This tutorial outlines a simple method to restrict individual users from accessing certain areas of your website.  Coming soon we'll discuss some more advance methods of using .htaccess/.htpasswd to restrict access from certain IP address and certain groups.
.HTACCESS REDIRECTION TUTORIAL

Sometimes it is necessary to redirect a user from one page to another.  Perhaps a search engine lists a page that is no longer available on your website.  Instead of having a person click on that link from the search engine and and be greeted by a 404 File Not Found Error from you site, you can redirect them to any page on your site, simply by adding a few lines to your .htaccess file:

Redirect /main.html http://www.website.com/index.html

This small line in the .htaccess file will redirect any requests for www.website.com/main.html to www.website.com/index.html. You can fill in the pages and URL's for any pages you like, and as long as you keep it in the format above, it should work just fine.  You can even redirect several pages to the same page.

.HTACCESS AND CUSTOMIZED ERROR MESSAGES
 

 

  About 90% of the time, web servers generate boring error messages when it cannot find a find a page or encounters some other server error.  You might have a nice color coordinated website, but let's face it, black-text on a white background is a little passé.  Wouldn't it be nice to create customized error messages that match the rest of your websites layout?  Well, it's really quite simple.

There are five major error messages that visitors to your site could potentially encounter.

ERROR NUMBER

ERROR DESCRIPTION
400 BAD REQUEST
401 AUTHORIZATION REQUIRED
403 FORBIDDEN DOCUMENT
404 FILE NOT FOUND
500 INTERNAL SERVER ERROR

First thing you'll need to do is design an HTML page describing each error number above.  You can copy the descriptions from actual server generated error pages, or you can put a fresh spin and design your own from the ground up.  It might be a good idea to put some links in your error messages to guide your wary visitors to a safe place, perhaps a link to your main page or a search page for your site's content.  An e-mail address might also be nice so a visitor can inform you of the error they encountered.

Okay, so now that you've gotten your html pages all made, you are going to need to place them in a folder on your web server.  Let say that you've made a folder called "errors" and have placed all five of your customized error messages in there.  Now we need to edit the .htaccess file and add these lines below:

ErrorDocument 400 /errors/400.html
ErrorDocument 401 /errors/401.html
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html

You will need to change the directory and the names of the html documents to reflect where your error messages are and what names you've given them.

In the above example, if the server encounters a request for a page that no longer exists, it will look to your .htaccess file and see that for a 404 error is should display the page 404.html located in the "errors" directory.

Remember, that the .htaccess file only affects the directory that its located in and all those directories that are recursively located beneath it.  So if you want .htaccess to generate customized error messages for your whole site, you best place the ErrorDocument lines in the .htaccess in your root directory.
PREVENTING ACCESS TO .HTACCESS FILES
Your .htaccess files typically reside in your root directory.  Since it's almost guaranteed that there will be a .htaccess in your root directory practically anyone can access and view it through their web browser using the appropriate URL address.  Most of the time there is information contained the the .htaccess file that you don't want people knowing, like the location of .htpasswd files (password files), or rules for allowing or denying access.

One way to prevent your visitor from viewing your .htaccess file is to disable access to that particular filename.  You can add the following lines to your .htaccess file in the root directory to deny visitors from viewing all .htaccess files contained in your website:

  <Files .htaccess>
  order allow,deny
  deny from all
  </Files>
OPTIONS EXEC
 

Getting scripts to work properly on your server can be a difficult job.  There are so many variables that can cause a script to go awry.  Sometimes all it takes is the addition of a few lines to your .htaccess file to get a stubborn script working.  If you have access to the error logs on your server and you see a line resembling "Option ExecCGI is off on this directory", the you need to add the following lines to your .htaccess that located in the same folder as the script you are trying to execute:

  Options ExecCGI

In many version of Apache, Perl scripts need permission to run in a directory, especially if you have any .cgi or .pl files located in directories other than the cgi-bin directory.  By adding the line above to the .htaccess in the folder where the script is located you give the web server permission to execute files within that directory.