2.5 Access control file
The access control file defines the access controls.
Description
Create an access control file (.htaccess) in a specific directory to specify an access permission for the directory.
Specify the name of the access control file by using the AccessFileName directive. The default is .htaccess.
You can enable the access controls in the access control file without restarting the web server. However, you need to set the AllowOverride directive in httpsd.conf to the appropriate level that permits overwriting to make the access controls function properly.
If you specify a password file for the access control file, when a user accesses the directory, the user is asked to enter a user name and password.
The access control file (.htaccess) does not need to correspond with the password file (.htpasswd) on a one-to-one basis. You can specify the same password file for the AuthUserFile directive in a different access control file.
Syntax
The syntax of the directive is as follows.
- Regular expression:
-
The following are the regular expressions that can be used for defining the directive:
Code
Functionality
Usage example
Meaning of the usage example
.
Any single character
a...c
a is followed by any 3 characters, and then c. For example, abcdc matches this code.
*
The character right before this code is repeated zero or more times
ab*cd*
For example, ac, abbbbc, and abbbbcd match this example code.
+
The character right before this code is repeated one or more times
ab*c+
For example, abbbc matches this example code, but abbb does not.
?
Whether a character right before this code exists
abbbc?
For example, abbbc and abbb match this example code.
|
A delimiter for options
a|bc|d
a, bc, or d
\
A special character (. ^$*+?|\[](){}) comes right after this code. However, \\\ is used to express \.
\.
For example, . matches this example code.
\\\
For example, a single character \ matches this example code.
^
The characters after the symbol are at the beginning of the line
^ab
For example, abcde matches this example code.
$
The characters before the symbol are at the end of the line
abc$
For example, aaabc matches this example code.
{m}
The regular expression right before this code is repeated m times
a{5}
For example, aaaaa matches this example code.
{m,}
The regular expression right before this code is repeated m or more times
a{3,}
For example, aaa and aaaa match this example code, but aa does not.
{m,n}
The regular expression right before this code is repeated m or more times, and n or less times
a{3,5}
For example, aaa, aaaa, and aaaaa match this example code. aa and aaaaaa do not match this code.
[character_string]
The character is in the character string#
[abc]* or [a-c]*
For example, aaa, bbb, ccc, cba, and aab match this example code.
[^character_string]
The character is not in the character string
[^0-9]
Any single character other than a numerical character matches this example code.
(character_string)
The character string is grouped
(ab)+
For example, ababab matches this example code, but ababb does not.
aa(xx|yy)bb
For example, aaxxbb and aayybb match this example code.
- #
-
The following three characters have special meanings in [character_string].
^: Specify this character after the opening square bracket ([) to indicate characters that are not included in the character string.
]: This character is used to indicate the end of the character string.
-: This character is used specify a range.
In addition, backslashes (\) used before these special characters are omitted.
To use characters that have special meanings in [character_string] as normal characters, specify the character as below. Note that special characters other than the following four characters are treated as normal characters.
^: Specify this character anywhere except at the beginning of the character string. Example: [ab^yz]
]: Specify this character at the beginning of the character string. Example: []abxy]
-: Specify this character at the end of the character string. Example: [abxy-]
\: Specify \\\. Example: [\\\abxy]
- Path information to be specified in the directive:
-
For directives that specify the directory name, file name or path name, the path information that can be specified differs depending on the types of directives.
The following are the types of paths. The path information for each directive is explained in each directive.
-
Absolute path.
-
Relative path from the value specified in the ServerRoot directive (however, note that the ServerRoot directive must be specified in advance).
In addition, you cannot specify directories or files on the network in the path information. You cannot specify directories or files on the file system that uses the network, either.
-
- Comment line:
-
In the configuration file, add a hash mark (#) to the beginning of the line to make a comment line. However, if you write a character string that begins with a hash mark after the directive is specified, the characters after the hash mark will not be treated as comments.
The following shows an example of specifying a comment line:
-
Correct example:
#Deny from all
The line beginning with the hash mark is treated as a comment line.
-
Incorrect example:
Deny from all #comment
The #comment part will be treated as a value specified for the directive. This will not be treated as a comment.
-
- Notes on specification of IPv6 addresses
-
To describe the IPv6 address in the directive, enclose the IPv6 address in square brackets ([] ), such as [IPv6_address]. In addition, when writing both the IPv6 address and the port number in the directive, enclose the IPv6 address in square brackets and specify the port number after a colon (:), such as [IPv6_address]:port_number.
However, do not enclose the IPv6 address in square brackets when writing the IPv6 address in the following directives:
-
The Allow from directive
-
The Deny from directive
-
The HWSSetEnvIfIPv6 directive
When you want to specify the IPv6 address for these directives, specify a global unicast address.
-
Storage location
Directory_to_be_defined_access_permissions
Examples
Use the following directory configuration to specify access permissions in the access control file for each directory.
[public_html for user001]
|
+-[auth]--+-.htaccess
| +-index.html
|
+-[test1]-+-.htaccess
| +-.htpasswd (user001/test1)
| +-index.html
| +-[test11]-+-.htaccess
| | +-.htpasswd (user001/test11)
| | +-index.html
| |
| +-[test12]-+-index.html
| +-[test121]-+-.htaccess
| +-index.html
|
+-[test2]-+-.htaccess
+-.htpasswd (user001/test21,user002/test22,user003/test23)
+-.groupfile(mygroup: user001 user002)
+-index.html
- Example 1: Defining access permissions for the auth directory (auth/.htaccess file)
-
Denying access from the servers with the IP addresses 172.18.102.11 and 172.16.202.4.
Order deny,allow ...1. Deny from 172.18.102.11 172.16.202.4 ...2.
-
Evaluate the definition of access denial first.
-
Definition of the access denial
-
- Example 2: Defining access permissions for the test1 directory (test1/.htaccess file)
-
Permit access to test1/index.html and test1/test12/index.html only when you enter the user name user001 and the password test1.
AuthUserFile C:/user001/public_html/test1/.htpasswd ...1. AuthName "test1 Directory" ...2. AuthType Basic <Limit GET POST> ...3. Require user user001 ...4. </Limit>
-
Definition of the user name (user001) and password (test1) registered in the password file.
-
Definition of the realm name
-
Definition of the method
-
Access for the user name user001 is permitted.
-
- Example 3: Defining access permissions for the test1/test11 directory (test1/test11/.htaccess file)
-
Permit access to test1/test11/index.html only when you enter the user name user001 and the password test11.
AuthUserFile C:/user001/public_html/test1/test11/.htpasswd ...1. AuthName "test11 Directory" ...2. AuthType Basic <Limit GET POST> ...3. Require user user001 ...4. </Limit>
-
Definition of the user name (user001) and password (test11) registered in the password file.
-
Definition of the realm name
-
Definition of the method
-
Access for the user name user001 is permitted.
-
- Example 4: Defining access permissions for the test1/test12/test121 directory (test1/test12/test121/.htaccess file)
-
Permit access to test1/test12/test121/index.html only when you enter the user name user001, the password test1, and your web browser is MSIE.
Order deny,allow ...1. Allow from env=MSIE ...2. Deny from all ...3.
-
Evaluate the definition of access denial first.
-
If your web browser is MSIE, access is permitted.
-
Access from all hosts is denied.
Note that the directive shown below must be defined in httpsd.conf.
SetEnvIf User-Agent ".*MSIE.*" MSIE
-
- Example 5: Defining access permissions for the test2 directory (test2/.htaccess file)
-
Permit access to test2/index.html only when you enter a user name and password for the mygroup group.
AuthUserFile C:/user001/public_html/test2/.htpasswd ...1. AuthGroupFile C:/user001/public_html/test2/.groupfile ...2. AuthName "test2 Directory" ...3. AuthType Basic <Limit GET POST> ...4. Require group mygroup ...5. </Limit>
-
Definition of the following data stored in the password file
User name: user001, Password: test21
User name: user002, Password: test22
User name: user003, Password: test23
-
Definition of the group name (mygroup) stored in the group file, and the user names (user001, user002, and user003) registered in mygroup
-
Definition of the realm name
-
Definition for the method
-
Access for the mygroup group is permitted.
-