Apache Tutorial: .htaccess files

From: Rich Bowen Date: Thu, 15 Aug 2002 15:47:10 +0000 (+0000) Subject: XML-ized versions. Are we supposed to remove the .html files now? X-Git-Tag: AGB_BEFORE_AAA_CHANGES~260 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cec5fbaf5b42195c726ba16e61cc3a91a0881177;p=apache XML-ized versions. Are we supposed to remove the .html files now? git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96381 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/howto/htaccess.html.en b/docs/manual/howto/htaccess.html.en new file mode 100644 index 0000000000..33e51c11d5 --- /dev/null +++ b/docs/manual/howto/htaccess.html.en @@ -0,0 +1,302 @@ +Apache Tutorial: .htaccess files - Apache HTTP Server

Apache HTTP Server Version 2.0
Apache Tutorial: .htaccess files
+
.htaccess files provide a way to make configuration +changes on a per-directory basis.
+
.htaccess files
What they are/How to use them
When (not) to use .htaccess files
How directives are applied
Authentication example
Server side includes example
CGI example
Troubleshooting
.htaccess files
+
Related Modules

core
mod_auth
mod_cgi
mod_includes
mod_mime
Related Directives

AccessFileName
AllowOverride
Options
AddHandler
SetHandler
AuthType
AuthName
AuthUserFile
AuthGroupFile
Require
+
What they are/How to use them
+ + +
.htaccess files (or "distributed configuration files") + provide a way to make configuration changes on a per-directory basis. A + file, containing one or more configuration directives, is placed in a + particular document directory, and the directives apply to that + directory, and all subdirectories thereof.
+ +
+
Note: If you want to call your .htaccess file something + else, you can change the name of the file using the AccessFileName + directive. For example, if you would rather call the file + .config then you can put the following in your server + configuration file:
+ +
+ AccessFileName .config +
+
+ +
What you can put in these files is determined by the AllowOverride + directive. This directive specifies, in categories, what directives + will be honored if they are found in a .htaccess file. If + a directive is permitted in a .htaccess file, the + documentation for that directive will contain an Override section, + specifying what value must be in AllowOverride in order + for that directive to be permitted.
+ +
For example, if you look at the documentation for the AddDefaultCharset + directive, you will find that it is permitted in .htaccess + files. (See the Context line in the directive summary.) The Override line reads + "FileInfo". Thus, you must have at least + "AllowOverride FileInfo" in order for this directive to be + honored in .htaccess files.
+ +
Example:
+ + + + + + + + + + + + + + Context: server config, virtual host, directory, .htaccess Override: FileInfo +
+ + +
If you are unsure whether a particular directive is permitted in a + .htaccess file, look at the documentation for that + directive, and check the Context line for ".htaccess."
+
When (not) to use .htaccess files
+ + +
In general, you should never use .htaccess files unless + you don't have access to the main server configuration file. There is, + for example, a prevailing misconception that user authentication should + always be done in .htaccess files. This is simply not the + case. You can put user authentication configurations in the main server + configuration, and this is, in fact, the preferred way to do + things.
+ +
.htaccess files should be used in a case where the + content providers need to make configuration changes to the server on a + per-directory basis, but do not have root access on the server system. + In the event that the server administrator is not willing to make + frequent configuration changes, it might be desirable to permit + individual users to make these changes in .htaccess files + for themselves. This is particularly true, for example, in cases where + ISPs are hosting multiple user sites on a single machine, and want + their users to be able to alter their configuration.
+ +
However, in general, use of .htaccess files should be + avoided when possible. Any configuration that you would consider + putting in a .htaccess file, can just as effectively be + made in a <Directory> section in your main server + configuration file.
+ +
There are two main reasons to avoid the use of + .htaccess files.
+ +
The first of these is performance. When AllowOverride + is set to allow the use of .htaccess files, Apache will + look in every directory for .htaccess files. Thus, + permitting .htaccess files causes a performance hit, + whether or not you actually even use them! Also, the + .htaccess file is loaded every time a document is + requested.
+ +
Further note that Apache must look for .htaccess files + in all higher-level directories, in order to have a full complement of + directives that it must apply. (See section on how + directives are applied.) Thus, if a file is requested out of a + directory /www/htdocs/example, Apache must look for the + following files:
+ +
+ /.htaccess + /www/.htaccess + /www/htdocs/.htaccess + /www/htdocs/example/.htaccess +
+ +
And so, for each file access out of that directory, there are 4 + additional file-system accesses, even if none of those files are + present. (Note that this would only be the case if .htaccess files were + enabled for /, which is not usually the case.)
+ +
The second consideration is one of security. You are permitting + users to modify server configuration, which may result in changes over + which you have no control. Carefully consider whether you want to give + your users this privilege. Note also that giving users less + privileges than they need will lead to additional technical support + requests. Make sure you clearly tell your users what level of + privileges you have given them. Specifying exactly what you have set + AllowOverride to, and pointing them to the relevant + documentation, will save yourself a lot of confusion later.
+ +
Note that it is completely equivalent to put a .htaccess file in a + directory /www/htdocs/example containing a directive, and + to put that same directive in a Directory section <Directory + /www/htdocs/example> in your main server configuration:
+ +
.htaccess file in /www/htdocs/example:
+ +
Contents of .htaccess file in + /www/htdocs/example
+ AddType text/example .exm +
+ +
Section from your httpd.conf + file
+ <Directory /www/htdocs/example> + AddType text/example .exm + </Directory> +
+ +
However, putting this configuration in your server configuration + file will result in less of a performance hit, as the configuration is + loaded once when Apache starts, rather than every time a file is + requested.
+ +
The use of .htaccess files can be disabled completely + by setting the AllowOverride directive to "none"
+ +
+ AllowOverride None +
+
How directives are applied
+ +
The configuration directives found in a .htaccess file + are applied to the directory in which the .htaccess file + is found, and to all subdirectories thereof. However, it is important + to also remember that there may have been .htaccess files + in directories higher up. Directives are applied in the order that they + are found. Therefore, a .htaccess file in a particular + directory may override directives found in .htaccess files + found higher up in the directory tree. And those, in turn, may have + overridden directives found yet higher up, or in the main server + configuration file itself.
+ +
Example:
+ +
In the directory /www/htdocs/example1 we have a + .htaccess file containing the following:
+ +
+ Options +ExecCGI +
+ +
(Note: you must have "AllowOverride Options" in effect + to permit the use of the "Options" directive in + .htaccess files.)
+ +
In the directory /www/htdocs/example1/example2 we have + a .htaccess file containing:
+ +
+ Options Includes +
+ +
Because of this second .htaccess file, in the directory + /www/htdocs/example1/example2, CGI execution is not + permitted, as only Options Includes is in effect, which + completely overrides any earlier setting that may have been in + place.
+
Authentication example
+ +
If you jumped directly to this part of the document to find out how + to do authentication, it is important to note one thing. There is a + common misconception that you are required to use + .htaccess files in order to implement password + authentication. This is not the case. Putting authentication directives + in a <Directory> section, in your main server + configuration file, is the preferred way to implement this, and + .htaccess files should be used only if you don't have + access to the main server configuration file. See above for a discussion of when you should and should + not use .htaccess files.
+ +
Having said that, if you still think you need to use a + .htaccess file, you may find that a configuration such as + what follows may work for you.
+ +
You must have "AllowOverride AuthConfig" in effect for + these directives to be honored.
+ +
.htaccess file contents:
+ +
+ AuthType Basic + AuthName "Password Required" + AuthUserFile /www/passwords/password.file + AuthGroupFile /www/passwords/group.file + Require Group admins +
+ +
Note that AllowOverride AuthConfig must be in effect + for these directives to have any effect.
+ +
Please see the authentication tutorial for a + more complete discussion of authentication and authorization.
+
Server side includes example
+ +
Another common use of .htaccess files is to enable + Server Side Includes for a particular directory. This may be done with + the following configuration directives, placed in a + .htaccess file in the desired directory:
+ +
+ Options +Includes + AddType text/html shtml + AddHandler server-parsed shtml +
+ +
Note that AllowOverride Options and AllowOverride + FileInfo must both be in effect for these directives to have any + effect.
+ +
Please see the SSI tutorial for a more + complete discussion of server-side includes.
+
CGI example
+ +
Finally, you may wish to use a .htaccess file to permit + the execution of CGI programs in a particular directory. This may be + implemented with the following configuration:
+ +
+ Options +ExecCGI + AddHandler cgi-script cgi pl +
+ +
Alternately, if you wish to have all files in the given directory be + considered to be CGI programs, this may be done with the following + configuration:
+ +
+ Options +ExecCGI + SetHandler cgi-script +
+ +
Note that AllowOverride Options must be in effect for + these directives to have any effect.
+ +
Please see the CGI tutorial for a more + complete discussion of CGI programming and configuration.
+ +
Troubleshooting
+ +
When you put configuration directives in a .htaccess + file, and you don't get the desired effect, there are a number of + things that may be going wrong.
+ +
Most commonly, the problem is that AllowOverride is not + set such that your configuration directives are being honored. Make + sure that you don't have a AllowOverride None in effect + for the file scope in question. A good test for this is to put garbage + in your .htaccess file and reload. If a server error is + not generated, then you almost certainly have AllowOverride + None in effect.
+ +
If, on the other hand, you are getting server errors when trying to + access documents, check your Apache error log. It will likely tell you + that the directive used in your .htaccess file is not permitted. + Alternately, it may tell you that you had a syntax error, which you + will then need to fix.
+ +

Apache HTTP Server Version 2.0

\ No newline at end of file diff --git a/docs/manual/howto/htaccess.xml b/docs/manual/howto/htaccess.xml new file mode 100755 index 0000000000..b6e804ef4c --- /dev/null +++ b/docs/manual/howto/htaccess.xml @@ -0,0 +1,358 @@ + + + + + + +Apache Tutorial: .htaccess files + +

.htaccess files provide a way to make configuration +changes on a per-directory basis.

+ + + +

+What they are/How to use them + +

.htaccess files (or "distributed configuration files") + provide a way to make configuration changes on a per-directory basis. A + file, containing one or more configuration directives, is placed in a + particular document directory, and the directives apply to that + directory, and all subdirectories thereof.

+ + +

Note: If you want to call your .htaccess file something + else, you can change the name of the file using the AccessFileName + directive. For example, if you would rather call the file + .config then you can put the following in your server + configuration file:

+ + + AccessFileName .config + + + +

What you can put in these files is determined by the AllowOverride + directive. This directive specifies, in categories, what directives + will be honored if they are found in a .htaccess file. If + a directive is permitted in a .htaccess file, the + documentation for that directive will contain an Override section, + specifying what value must be in AllowOverride in order + for that directive to be permitted.

+ +

For example, if you look at the documentation for the AddDefaultCharset + directive, you will find that it is permitted in .htaccess + files. (See the Context line in the directive summary.) The Override line reads + "FileInfo". Thus, you must have at least + "AllowOverride FileInfo" in order for this directive to be + honored in .htaccess files.

+ +Example: + + + + + + + + + + + + + +

Context:	server config, virtual host, directory, .htaccess
Override:	FileInfo

+ + + +

If you are unsure whether a particular directive is permitted in a + .htaccess file, look at the documentation for that + directive, and check the Context line for ".htaccess."

+ +

+ When (not) to use .htaccess files + +

In general, you should never use .htaccess files unless + you don't have access to the main server configuration file. There is, + for example, a prevailing misconception that user authentication should + always be done in .htaccess files. This is simply not the + case. You can put user authentication configurations in the main server + configuration, and this is, in fact, the preferred way to do + things.

+ +

.htaccess files should be used in a case where the + content providers need to make configuration changes to the server on a + per-directory basis, but do not have root access on the server system. + In the event that the server administrator is not willing to make + frequent configuration changes, it might be desirable to permit + individual users to make these changes in .htaccess files + for themselves. This is particularly true, for example, in cases where + ISPs are hosting multiple user sites on a single machine, and want + their users to be able to alter their configuration.

+ +

However, in general, use of .htaccess files should be + avoided when possible. Any configuration that you would consider + putting in a .htaccess file, can just as effectively be + made in a Directory section in your main server + configuration file.

+ +

There are two main reasons to avoid the use of + .htaccess files.

+ +

The first of these is performance. When AllowOverride + is set to allow the use of .htaccess files, Apache will + look in every directory for .htaccess files. Thus, + permitting .htaccess files causes a performance hit, + whether or not you actually even use them! Also, the + .htaccess file is loaded every time a document is + requested.

+ +

Further note that Apache must look for .htaccess files + in all higher-level directories, in order to have a full complement of + directives that it must apply. (See section on how + directives are applied.) Thus, if a file is requested out of a + directory /www/htdocs/example, Apache must look for the + following files:

+ + + /.htaccess
+ /www/.htaccess
+ /www/htdocs/.htaccess
+ /www/htdocs/example/.htaccess + + +

And so, for each file access out of that directory, there are 4 + additional file-system accesses, even if none of those files are + present. (Note that this would only be the case if .htaccess files were + enabled for /, which is not usually the case.)

+ +

The second consideration is one of security. You are permitting + users to modify server configuration, which may result in changes over + which you have no control. Carefully consider whether you want to give + your users this privilege. Note also that giving users less + privileges than they need will lead to additional technical support + requests. Make sure you clearly tell your users what level of + privileges you have given them. Specifying exactly what you have set + AllowOverride to, and pointing them to the relevant + documentation, will save yourself a lot of confusion later.

+ +

Note that it is completely equivalent to put a .htaccess file in a + directory /www/htdocs/example containing a directive, and + to put that same directive in a Directory section <Directory + /www/htdocs/example> in your main server configuration:

+ +

.htaccess file in /www/htdocs/example:

+ + Contents of .htaccess file in + <code>/www/htdocs/example</code> + AddType text/example .exm + + + Section from your <code>httpd.conf</code> + file + <Directory /www/htdocs/example>
+ AddType text/example .exm
+ </Directory> + + +

However, putting this configuration in your server configuration + file will result in less of a performance hit, as the configuration is + loaded once when Apache starts, rather than every time a file is + requested.

+ +

The use of .htaccess files can be disabled completely + by setting the AllowOverride directive to "none"

+ + + AllowOverride None + +

+ +

How directives are applied + +

The configuration directives found in a .htaccess file + are applied to the directory in which the .htaccess file + is found, and to all subdirectories thereof. However, it is important + to also remember that there may have been .htaccess files + in directories higher up. Directives are applied in the order that they + are found. Therefore, a .htaccess file in a particular + directory may override directives found in .htaccess files + found higher up in the directory tree. And those, in turn, may have + overridden directives found yet higher up, or in the main server + configuration file itself.

+ +

Example:

+ +

In the directory /www/htdocs/example1 we have a + .htaccess file containing the following:

+ + + Options +ExecCGI + + +

(Note: you must have "AllowOverride Options" in effect + to permit the use of the "Options" directive in + .htaccess files.)

+ +

In the directory /www/htdocs/example1/example2 we have + a .htaccess file containing:

+ + + Options Includes + + +

Because of this second .htaccess file, in the directory + /www/htdocs/example1/example2, CGI execution is not + permitted, as only Options Includes is in effect, which + completely overrides any earlier setting that may have been in + place.

+ +

Authentication example + +

If you jumped directly to this part of the document to find out how + to do authentication, it is important to note one thing. There is a + common misconception that you are required to use + .htaccess files in order to implement password + authentication. This is not the case. Putting authentication directives + in a <Directory> section, in your main server + configuration file, is the preferred way to implement this, and + .htaccess files should be used only if you don't have + access to the main server configuration file. See above for a discussion of when you should and should + not use .htaccess files.

+ +

Having said that, if you still think you need to use a + .htaccess file, you may find that a configuration such as + what follows may work for you.

+ +

You must have "AllowOverride AuthConfig" in effect for + these directives to be honored.

+ +

.htaccess file contents:

+ + + AuthType Basic
+ AuthName "Password Required"
+ AuthUserFile /www/passwords/password.file
+ AuthGroupFile /www/passwords/group.file
+ Require Group admins + + +

Note that AllowOverride AuthConfig must be in effect + for these directives to have any effect.

+ +

Please see the authentication tutorial for a + more complete discussion of authentication and authorization.

+ +

Server side includes example + +

Another common use of .htaccess files is to enable + Server Side Includes for a particular directory. This may be done with + the following configuration directives, placed in a + .htaccess file in the desired directory:

+ + + Options +Includes
+ AddType text/html shtml
+ AddHandler server-parsed shtml + + +

Note that AllowOverride Options and AllowOverride + FileInfo must both be in effect for these directives to have any + effect.

+ +

Please see the SSI tutorial for a more + complete discussion of server-side includes.

+ +

CGI example + +

Finally, you may wish to use a .htaccess file to permit + the execution of CGI programs in a particular directory. This may be + implemented with the following configuration:

+ + + Options +ExecCGI
+ AddHandler cgi-script cgi pl + + +

Alternately, if you wish to have all files in the given directory be + considered to be CGI programs, this may be done with the following + configuration:

+ + + Options +ExecCGI
+ SetHandler cgi-script + + +

Note that AllowOverride Options must be in effect for + these directives to have any effect.

+ +

Please see the CGI tutorial for a more + complete discussion of CGI programming and configuration.

+ +

Troubleshooting + +

When you put configuration directives in a .htaccess + file, and you don't get the desired effect, there are a number of + things that may be going wrong.

+ +

Most commonly, the problem is that AllowOverride is not + set such that your configuration directives are being honored. Make + sure that you don't have a AllowOverride None in effect + for the file scope in question. A good test for this is to put garbage + in your .htaccess file and reload. If a server error is + not generated, then you almost certainly have AllowOverride + None in effect.

+ +

If, on the other hand, you are getting server errors when trying to + access documents, check your Apache error log. It will likely tell you + that the directive used in your .htaccess file is not permitted. + Alternately, it may tell you that you had a syntax error, which you + will then need to fix.

+ +

+ + diff --git a/docs/manual/howto/public_html.html.en b/docs/manual/howto/public_html.html.en new file mode 100644 index 0000000000..df80be4fec --- /dev/null +++ b/docs/manual/howto/public_html.html.en @@ -0,0 +1,108 @@ +Per-user web directories - Apache HTTP Server

Apache HTTP Server Version 2.0
Per-user web directories
+
On systems with multiple users, each user can be permitted to have a + web site in their home directory using the UserDir directive. Visitors + to a URL http://example.com/~username/ will get content + out of the home directory of the user "username", out of + the subdirectory specified by the UserDir directive.
+ +
Per-user web directories
Setting the file path with UserDir
Restricting what users are permitted to use this + feature
Enabling a cgi directory for each user
Allowing users to alter configuration
Per-user web directories
+ +
Related Modules

mod_userdir
Related Directives

UserDir
DirectoryMatch
AllowOverride
+
Setting the file path with UserDir
+ + +
The UserDir + directive specifies a directory out of which per-user + content is loaded. This directive may take several different forms.
+ +
If a path is given which does not start with a leading slash, it is + assumed to be a directory path relative to the home directory of the + specified user. Given this configuration:
+ +
+ UserDir public_html +
+ +
the URL http://example.com/~rbowen/file.html will be + translated to the file path + /home/rbowen/public_html/file.html
+ +
If a path is given starting with a slash, a directory path will be + constructed using that path, plus the username specified. Given this + configuration:
+ +
+ UserDir /var/html +
+ +
the URL http://example.com/~rbowen/file.html will be + translated to the file path /var/html/rbowen/file.html
+ +
If a path is provided which contains an asterisk (*), a path is used + in which the asterisk is replaced with the username. Given this + configuration:
+ +
+ UserDir /var/www/*/docs +
+ +
the URL http://example.com/~rbowen/file.html will be + translated to the file path + /var/www/rbowen/docs/file.html
+ +
Restricting what users are permitted to use this + feature
+ + +
Using the syntax show in the UserDir documentation, you can restrict + what users are permitted to use this functionality:
+ +
+ UserDir enabled + UserDir disabled root jro fish +
+ +
The configuration above will enable the feature for all users + except for those listed in the disabled statement. + You can, likewise, disable the feature for all but a few users by + using a configuration like the following:
+ +
+ UserDir disabled + UserDir enabled rbowen krietz +
+ +
See UserDir + documentation for additional examples.
+ +
Enabling a cgi directory for each user
+ + +
In order to give each user their own cgi-bin directory, you can use + a DirectoryMatch + directive to make a particular subdirectory of a user's home directory + cgi-enabled.
+ +
+ <DirectoryMatch /home/*/cgi-bin/> + Options +ExecCGI + SetHandler cgi-script + </DirectoryMatch> +
+ +
Allowing users to alter configuration
+ + +
If you want to allows users to modify the server configuration in + their web space, they will need to use .htaccess files to + make these changed. Ensure that you have set AllowOverride to a + value sufficient for the directives that you want to permit the users + to modify. See the .htaccess tutorial for + additional details on how this works.
+ +

Apache HTTP Server Version 2.0

\ No newline at end of file diff --git a/docs/manual/howto/public_html.xml b/docs/manual/howto/public_html.xml new file mode 100644 index 0000000000..b2bf17d606 --- /dev/null +++ b/docs/manual/howto/public_html.xml @@ -0,0 +1,136 @@ + + + + + + + Per-user web directories + +

On systems with multiple users, each user can be permitted to have a + web site in their home directory using the UserDir directive. Visitors + to a URL http://example.com/~username/ will get content + out of the home directory of the user "username", out of + the subdirectory specified by the UserDir directive.

+ +

+ + + +

+ Setting the file path with <directive + module="mod_userdir">UserDir</directive> + +

The UserDir + directive specifies a directory out of which per-user + content is loaded. This directive may take several different forms.

+ +

If a path is given which does not start with a leading slash, it is + assumed to be a directory path relative to the home directory of the + specified user. Given this configuration:

+ + + UserDir public_html + + +

the URL http://example.com/~rbowen/file.html will be + translated to the file path + /home/rbowen/public_html/file.html

+ +

If a path is given starting with a slash, a directory path will be + constructed using that path, plus the username specified. Given this + configuration:

+ + + UserDir /var/html + + +

the URL http://example.com/~rbowen/file.html will be + translated to the file path /var/html/rbowen/file.html

+ +

If a path is provided which contains an asterisk (*), a path is used + in which the asterisk is replaced with the username. Given this + configuration:

+ + + UserDir /var/www/*/docs + + +

the URL http://example.com/~rbowen/file.html will be + translated to the file path + /var/www/rbowen/docs/file.html

+ +

+ Restricting what users are permitted to use this + feature + +

Using the syntax show in the UserDir documentation, you can restrict + what users are permitted to use this functionality:

+ + + UserDir enabled
+ UserDir disabled root jro fish + + +

The configuration above will enable the feature for all users + except for those listed in the disabled statement. + You can, likewise, disable the feature for all but a few users by + using a configuration like the following:

+ + + UserDir disabled
+ UserDir enabled rbowen krietz + + +

See UserDir + documentation for additional examples.

+ +

+ Enabling a cgi directory for each user + +

In order to give each user their own cgi-bin directory, you can use + a DirectoryMatch + directive to make a particular subdirectory of a user's home directory + cgi-enabled.

+ + + <DirectoryMatch /home/*/cgi-bin/>
+ Options +ExecCGI
+ SetHandler cgi-script
+ </DirectoryMatch> + + +

+ +

+ Allowing users to alter configuration + +

If you want to allows users to modify the server configuration in + their web space, they will need to use .htaccess files to + make these changed. Ensure that you have set AllowOverride to a + value sufficient for the directives that you want to permit the users + to modify. See the .htaccess tutorial for + additional details on how this works.

+ +