+++ /dev/null
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
-<html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta name="generator" content="HTML Tidy, see www.w3.org" />
-
- <title>Apache Tutorial: .htaccess files</title>
- </head>
-
- <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080"
- alink="#FF0000">
- <!--#include virtual="header.html" -->
-
- <h1 align="CENTER"><code>.htaccess</code> files</h1>
- <!-- INDEX BEGIN -->
-
- <ul>
- <li><a href="#what">What they are/How to use them</a></li>
-
- <li><a href="#when">When (not) to use <code
- class="file">.htaccess</code></a> files</li>
-
- <li><a href="#how">How directives are applied</a></li>
-
- <li><a href="#auth">Authentication example</a></li>
-
- <li><a href="#ssi">Server side includes example</a></li>
-
- <li><a href="#cgi">CGI example</a></li>
-
- <li><a href="#troubleshoot">Troubleshooting</a></li>
- </ul>
- <!-- Index End -->
-
- <table border="1">
- <tr>
- <td valign="top"><strong>Related Modules</strong><br />
- <br />
- <code><a href="../mod/core.html">core</a></code><br />
- <code><a href="../mod/mod_auth.html">mod_auth</a></code><br />
- <code><a href="../mod/mod_cgi.html">mod_cgi</a></code><br />
- <code><a href="../mod/mod_includes.html">mod_includes</a><br />
- </code> <a href="../mod/mod_mime.html">mod_mime</a><br />
- </td>
-
- <td valign="top"><strong>Related Directives</strong><br />
- <br />
- <code><a
- href="../mod/core.html#accessfilename">AccessFileName</a></code><br />
- <code><a
- href="../mod/core.html#allowoverride">AllowOverride</a></code><br />
- <code><a href="../mod/core.html#options">Options</a></code><br />
- <code><a
- href="../mod/mod_mime.html#addhandler">AddHandler</a></code><br />
- <code><a
- href="../mod/core.html#sethandler">SetHandler</a></code><br />
- <code><a
- href="../mod/core.html#authtype">AuthType</a></code><br />
- <code><a
- href="../mod/core.html#authname">AuthName</a></code><br />
- <code><a
- href="../mod/mod_auth.html#authuserfile">AuthUserFile</a></code><br />
- <code><a
- href="../mod/mod_auth.html#authgroupfile">AuthGroupFile</a></code><br />
- <code><a href="../mod/core.html#require">Require</a></code><br />
- </td>
- </tr>
- </table>
- <hr />
-
- <h2><a id="what" name="what">What they are/How to use them</a></h2>
-
- <p><code>.htaccess</code> files (or "distributed configuration files")
- provide a way to make configuration changes on a per-directory basis. A
- file, containing one or more configuration directives, is placed in a
- particular document directory, and the directives apply to that
- directory, and all subdirectories thereof.</p>
-
- <p>Note: If you want to call your <code>.htaccess</code> file something
- else, you can change the name of the file using the <code><a
- href="../mod/core.html#accessfilename">AccessFileName</a></code>
- directive. For example, if you would rather call the file
- <code>.config</code> then you can put the following in your server
- configuration file:</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>AccessFileName .config</code> </td>
- </tr>
- </table>
- </blockquote>
-
- <p>What you can put in these files is determined by the <code><a
- href="../mod/core.html#allowoverride">AllowOverride</a></code>
- directive. This directive specifies, in categories, what directives
- will be honored if they are found in a <code>.htaccess</code> file. If
- a directive is permitted in a <code>.htaccess</code> file, the
- documentation for that directive will contain an Override section,
- specifying what value must be in <code>AllowOverride</code> in order
- for that directive to be permitted.</p>
-
- <p>For example, if you look at the documentation for the <a
- href="../mod/core.html#adddefaultcharset">AddDefaultCharset</a>
- directive, you will find that it is permitted in <code>.htaccess</code>
- files. (See the Context line in the directive summary.) The <a
- href="../mod/directive-dict.html#Context">Override</a> line reads
- "<code>FileInfo</code>". Thus, you must have at least
- "<code>AllowOverride FileInfo</code>" in order for this directive to be
- honored in <code>.htaccess</code> files.</p>
-
- <p>Example:</p>
-
- <blockquote>
- <table>
- <tr>
- <td><a
- href="../mod/directive-dict.html#Context">Context:</a></td>
-
- <td>server config, virtual host, directory, .htaccess</td>
- </tr>
-
- <tr>
- <td><a
- href="../mod/directive-dict.html#Override">Override:</a></td>
-
- <td>FileInfo</td>
- </tr>
- </table>
- </blockquote>
-
- <p>If you are unsure whether a particular directive is permitted in a
- <code>.htaccess</code> file, look at the documentation for that
- directive, and check the Context line for ".htaccess."</p>
-
- <h2><a id="when" name="when">When (not) to use .htaccess files</a></h2>
-
- <p>In general, you should never use <code>.htaccess</code> files unless
- you don't have access to the main server configuration file. There is,
- for example, a prevailing misconception that user authentication should
- always be done in <code>.htaccess</code> files. This is simply not the
- case. You can put user authentication configurations in the main server
- configuration, and this is, in fact, the preferred way to do
- things.</p>
-
- <p><code>.htaccess</code> files should be used in a case where the
- content providers need to make configuration changes to the server on a
- per-directory basis, but do not have root access on the server system.
- In the event that the server administrator is not willing to make
- frequent configuration changes, it might be desirable to permit
- individual users to make these changes in <code>.htaccess</code> files
- for themselves. This is particularly true, for example, in cases where
- ISPs are hosting multiple user sites on a single machine, and want
- their users to be able to alter their configuration.</p>
-
- <p>However, in general, use of <code>.htaccess</code> files should be
- avoided when possible. Any configuration that you would consider
- putting in a <code>.htaccess</code> file, can just as effectively be
- made in a <a href="../mod/core.html#Directory"><Directory></a>
- section in your main server configuration file.</p>
-
- <p>There are two main reasons to avoid the use of
- <code>.htaccess</code> files.</p>
-
- <p>The first of these is performance. When <code>AllowOverride</code>
- is set to allow the use of <code>.htaccess</code> files, Apache will
- look in every directory for <code>.htaccess</code> files. Thus,
- permitting <code>.htaccess</code> files causes a performance hit,
- whether or not you actually even use them! Also, the
- <code>.htaccess</code> file is loaded every time a document is
- requested.</p>
-
- <p>Further note that Apache must look for <code>.htaccess</code> files
- in all higher-level directories, in order to have a full complement of
- directives that it must apply. (See section on <a href="#how">how
- directives are applied</a>.) Thus, if a file is requested out of a
- directory <code>/www/htdocs/example</code>, Apache must look for the
- following files:</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>/.htaccess<br />
- /www/.htaccess<br />
- /www/htdocs/.htaccess<br />
- /www/htdocs/example/.htaccess</code> </td>
- </tr>
- </table>
- </blockquote>
-
- <p>And so, for each file access out of that directory, there are 4
- additional file-system accesses, even if none of those files are
- present. (Note that this would only be the case if .htaccess files were
- enabled for /, which is not usually the case.)</p>
-
- <p>The second consideration is one of security. You are permitting
- users to modify server configuration, which may result in changes over
- which you have no control. Carefully consider whether you want to give
- your users this privilege.</p>
-
- <p>Note that it is completely equivalent to put a .htaccess file in a
- directory <code>/www/htdocs/example</code> containing a directive, and
- to put that same directive in a Directory section <code><Directory
- /www/htdocs/example></code> in your main server configuration:</p>
-
- <p><code>.htaccess</code> file in <code>/www/htdocs/example</code>:</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>AddType text/example .exm</code>
- </td>
- </tr>
- </table>
- </blockquote>
-
- <p><code>httpd.conf</code></p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code><Directory
- /www/htdocs/example><br />
- AddType text/example .exm<br />
- </Directory></code> </td>
- </tr>
- </table>
- </blockquote>
-
- <p>However, putting this configuration in your server configuration
- file will result in less of a performance hit, as the configuration is
- loaded once when Apache starts, rather than every time a file is
- requested.</p>
-
- <p>The use of <code>.htaccess</code> files can be disabled completely
- by setting the <code>AllowOverride</code> directive to "none"</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>AllowOverride None</code> </td>
- </tr>
- </table>
- </blockquote>
-
- <h2><a id="how" name="how">How directives are applied</a></h2>
-
- <p>The configuration directives found in a <code>.htaccess</code> file
- are applied to the directory in which the <code>.htaccess</code> file
- is found, and to all subdirectories thereof. However, it is important
- to also remember that there may have been <code>.htaccess</code> files
- in directories higher up. Directives are applied in the order that they
- are found. Therefore, a <code>.htaccess</code> file in a particular
- directory may override directives found in <code>.htaccess</code> files
- found higher up in the directory tree. And those, in turn, may have
- overridden directives found yet higher up, or in the main server
- configuration file itself.</p>
-
- <p>Example:</p>
-
- <p>In the directory <code>/www/htdocs/example1</code> we have a
- <code>.htaccess</code> file containing the following:</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>Options +ExecCGI</code> </td>
- </tr>
- </table>
- </blockquote>
-
- <p>(Note: you must have "<code>AllowOverride Options</code>" in effect
- to permit the use of the "<code><a
- href="../mod/core.html#options">Options</a></code>" directive in
- <code>.htaccess</code> files.)</p>
-
- <p>In the directory <code>/www/htdocs/example1/example2</code> we have
- a <code>.htaccess</code> file containing:</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>Options Includes</code> </td>
- </tr>
- </table>
- </blockquote>
-
- <p>Because of this second <code>.htaccess</code> file, in the directory
- <code>/www/htdocs/example1/example2</code>, CGI execution is not
- permitted, as only <code>Options Includes</code> is in effect, which
- completely overrides any earlier setting that may have been in
- place.</p>
-
- <h2><a id="auth" name="auth">Authentication example</a></h2>
-
- <p>If you jumped directly to this part of the document to find out how
- to do authentication, it is important to note one thing. There is a
- common misconception that you are required to use
- <code>.htaccess</code> files in order to implement password
- authentication. This is not the case. Putting authentication directives
- in a <code><Directory></code> section, in your main server
- configuration file, is the preferred way to implement this, and
- <code>.htaccess</code> files should be used only if you don't have
- access to the main server configuration file. See above for a
- discussion of when you should and should not use <code>.htaccess</code>
- files.</p>
-
- <p>Having said that, if you still think you need to use a
- <code>.htaccess</code> file, you may find that a configuration such as
- what follows may work for you.</p>
-
- <p>You must have "<code>AllowOverride AuthConfig</code>" in effect for
- these directives to be honored.</p>
-
- <p><code>.htaccess</code> file contents:</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>AuthType Basic<br />
- AuthName "Password Required"<br />
- AuthUserFile /www/passwords/password.file<br />
- AuthGroupFile /www/passwords/group.file<br />
- Require Group admins</code> </td>
- </tr>
- </table>
- </blockquote>
-
- <p>Note that <code>AllowOverride AuthConfig</code> must be in effect
- for these directives to have any effect.</p>
-
- <p>Please see the <a href="auth.html">authentication tutorial</a> for a
- more complete discussion of authentication and authorization.</p>
-
- <h2><a id="ssi" name="ssi">Server side includes example</a></h2>
-
- <p>Another common use of <code>.htaccess</code> files is to enable
- Server Side Includes for a particular directory. This may be done with
- the following configuration directives, placed in a
- <code>.htaccess</code> file in the desired directory:</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>Options +Includes<br />
- AddType text/html shtml<br />
- AddHandler server-parsed shtml</code> </td>
- </tr>
- </table>
- </blockquote>
-
- <p>Note that <code>AllowOverride Options</code> and <code>AllowOverride
- FileInfo</code> must both be in effect for these directives to have any
- effect.</p>
-
- <p>Please see the <a href="ssi.html">SSI tutorial</a> for a more
- complete discussion of server-side includes.</p>
-
- <h2><a id="cgi" name="cgi">CGI example</a></h2>
-
- <p>Finally, you may wish to use a <code>.htaccess</code> file to permit
- the execution of CGI programs in a particular directory. This may be
- implemented with the following configuration:</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>Options +ExecCGI<br />
- AddHandler cgi-script cgi pl</code> </td>
- </tr>
- </table>
- </blockquote>
-
- <p>Alternately, if you wish to have all files in the given directory be
- considered to be CGI programs, this may be done with the following
- configuration:</p>
-
- <blockquote>
- <table cellpadding="10">
- <tr>
- <td bgcolor="#eeeeee"><code>Options +ExecCGI<br />
- SetHandler cgi-script</code> </td>
- </tr>
- </table>
- </blockquote>
-
- <p>Note that <code>AllowOverride Options</code> must be in effect for
- these directives to have any effect.</p>
-
- <p>Please see the <a href="cgi.html">CGI tutorial</a> for a more
- complete discussion of CGI programming and configuration.</p>
-
- <h2><a id="troubleshoot" name="troubleshoot">Troubleshooting</a></h2>
-
- <p>When you put configuration directives in a <code>.htaccess</code>
- file, and you don't get the desired effect, there are a number of
- things that may be going wrong.</p>
-
- <p>Most commonly, the problem is that <code><a
- href="../mod/core.html#allowoverride">AllowOverride</a></code> is not
- set such that your configuration directives are being honored. Make
- sure that you don't have a <code>AllowOverride None</code> in effect
- for the file scope in question. A good test for this is to put garbage
- in your <code>.htaccess</code> file and reload. If a server error is
- not generated, then you almost certainly have <code>AllowOverride
- None</code> in effect.</p>
-
- <p>If, on the other hand, you are getting server errors when trying to
- access documents, check your Apache error log. It will likely tell you
- that the directive used in your .htaccess file is not permitted.
- Alternately, it may tell you that you had a syntax error, which you
- will then need to fix.</p>
- </body>
-</html>
-