[Ericsson AB]

mod_htaccess

MODULE

mod_htaccess

MODULE SUMMARY

This module provides per-directory user configurable access control.

DESCRIPTION

This module provides per-directory runtime configurable user-authentication. Each directory in the path to the requested asset is searched for an access-file (default .htaccess), that restricts the webservers rights to respond to a request. If an access-file is found the rules in that file is applied to the request.

The rules in an access-file applies both to files in the same directories and in subdirectories. If there exists more than one access-file in the path to an asset, the rules in the access-file nearest the requested asset will be applied.

If many users have web pages on the webserver and every user needs to manage the security issues alone, use this module.

To change the rules that restricts the use of an asset. The user only needs to have write access to the directory where the asset exists.

When a request comes, the path to the requested asset is searched for access-files with the name specified by the AccessFileName parameter, default .htaccess. When such a file is found it is parsed and the restrictions in the file is applied to the request. This means that a user do not need to have access to the webservers configuration-file to limit the access to an asset. Furthermore the user can change the rules and the changes will be applied immediately.

All the access-files in the path to a requested asset is read once per request, this means that the load on the server will increase when this module is used.

The following configuration directives are supported

DIRECTIVE: "AccessFileName"

Syntax: AccessFileNameFileName1 FileName2
Default: .htaccess Module: mod_htaccess(3)

AccessFileName Specify which filenames that are used for access-files. When a request comes every directory in the path to the requested asset will be searched after files with the names specified by this parameter. If such a file is found the file will be parsed and the restrictions specified in it will be applied to the request.

Access Files Directives

In every directory under the DocumentRoot or under an Alias a user can place an access-file. An access-file is a plain text file that specify the restrictions that shall be considered before the webserver answer to a request. If there are more than one access-file in the path to the requested asset, the directives in the access-file in the directory nearest the asset will be used.

DIRECTIVE: "allow"

Syntax: Allow from subnet subnet|from all
Default: from all
Module: mod_htaccess(3)
Context: <Limit>
Related: mod_auth(3),

See the allow directive in the documentation of mod_auth(3) for more information.

DIRECTIVE: "AllowOverRide"

Syntax: AllowOverRide all | none | Directives
Default: - None -
Module: mod_htaccess(3)

AllowOverRide Specify which parameters that not access-files in subdirectories are allowed to alter the value for. If the parameter is set to none no more access-files will be parsed.

If only one access-file exists setting this parameter to none can lessen the burden on the server since the server will stop looking for access-files.

DIRECTIVE: "AuthGroupfile"

Syntax: AuthGroupFile Filename
Default: - None -
Module: mod_htaccess(3)
Related: mod_auth(3),

AuthGroupFile indicates which file that contains the list of groups. Filename must contain the absolute path to the file. The format of the file is one group per row and every row contains the name of the group and the members of the group separated by a space, for example:

      GroupName: Member1 Member2 .... MemberN
    

DIRECTIVE: "AuthName"

Syntax: AuthName auth-domain
Default: - None -
Module: mod_htaccess(3)
Related: mod_auth(3),

See the AuthName directive in the documentation of mod_auth(3) for more information.

DIRECTIVE: "AuthType"

Syntax: AuthType Basic
Default: Basic
Module: mod_htaccess(3)

AuthType Specify which authentication scheme that shall be used. Today only Basic Authenticating using UUEncoding of the password and user ID is implemented.

DIRECTIVE: "AuthUserFile"

Syntax: AuthUserFile Filename
Default: - None -
Module: mod_htaccess(3)
Related: mod_auth(3),

AuthUserFile indicate which file that contains the list of users. Filename must contain the absolute path to the file. The users name and password are not encrypted so do not place the file with users in a directory that is accessible via the webserver. The format of the file is one user per row and every row contains User Name and Password separated by a colon, for example:

        UserName:Password
        UserName:Password
      

DIRECTIVE: "deny"

Syntax: deny from subnet subnet|from all
Default: from all
Module: mod_htaccess(3)
Context: <Limit>
Related: mod_auth(3),

See the deny directive in the documentation of mod_auth(3) for more information.

DIRECTIVE: "Limit"

Syntax: <Limit RequestMethods>
Default: - None -
Module: mod_auth(3)
Related: order, allow, deny, require

<Limit> and </Limit> are used to enclose a group of directives which applies only to requests using the specified methods. If no request method is specified all request methods are verified against the restrictions.

        <Limit POST GET HEAD>
        order allow deny
        require group group1
        allow from 123.145.244.5
        </Limit>
      

DIRECTIVE: "order"

Syntax: order allow deny | deny allow
Default: allow deny
Module: mod_htaccess(3)
Context: order
Related: allow, deny

order, defines if the deny or allow control shall be preformed first.

If the order is set to allow deny, then first the users network address is controlled to be in the allow subset. If the users network address is not in the allowed subset he will be denied to get the asset. If the network-address is in the allowed subset then a second control will be preformed, that the users network address is not in the subset of network addresses that shall be denied as specified by the deny parameter.

If the order is set to deny allow then only users from networks specified to be in the allowed subset will succeed to request assets in the limited area.

DIRECTIVE: "require"

Syntax: require group group1 group2...|user user1 user2...
Default: - None -
Context: <Limit>
Module: mod_htaccess(3)
Related: mod_auth(3),

See the require directive in the documentation of mod_auth(3) for more information.

EWSAPI MODULE INTERACTION

If a directory is limited both by mod_auth and mod_htaccess the user must be allowed to request the asset for both of the modules.

Uses the following EWSAPI interaction data, if available:

{real_name, {Path, AfterPath}}
as defined in mod_alias(3).

Exports the following EWSAPI interaction data, if possible:

{remote_user_name, User}
The user name with which the user has authenticated himself.

Uses the following exported EWSAPI functions:

AUTHORS

Martin Gustafsson - support@erlang.ericsson.se

inets 4.4
Copyright © 1991-2005 Ericsson AB