"The scope of these directives is vast, but most webmasters will only need a few at most; the most useful of these are covered below."

.htaccess files, used by the Apache Webserver, are a cut down version of the central config file httpd.conf usually used globally by the server. However, .htaccess only affects the directory it is in and those beneath it.

For example, putting an .htaccess which will password files in "/web/mysite/pics/babes/" will protect all the files inside it; it will also work if you put it in "/web/mysite/pics/", but surfers will also be prompted when they try to read "/web/mysite/pics/free.jpg".

A lot of the "directives" - commands instructing the server what to do when it recieves certain requests - used in httpd.conf can be used in .htaccess files, so long as your sysadmin has enabled this (look for "AllowOverride All" in httpd.conf, stored by default in /usr/local/apache/conf - ask your admin for more details).

The scope of these directives is vast, but most webmasters will only need a few at most; the most useful of these are covered below.

Authentication
By far the most common use of .htaccess files is controlling access to content through passwording and host filtering. Both group- and user-based password access is supported; we'll only be covering user-based here, but feel free to investigate the AuthGroupFile directive for more information on groups.

AuthType
Type of authentication, required for passwording; just use "AuthType Basic"

AuthName
Name of "realm" or area the user is accessing; for example:

AuthName "Members Area"

AuthUserFile
File containing user and password information. This is the core file, required for passwording, and usually known as .htpasswd, due to this being the default filename.

Note that the password data is stored in an encrypted form, so you cannot just edit the file with a text editor! Instead, you need to use the htpasswd tool, included with apache, as follows:

/usr/local/apache/bin/htpasswd -c /web/.htpasswd NewUser
This creates the password file "/web/.htpasswd" (note that the password file should be OUTSIDE YOUR HTML DIRECTORY, or surfers will be able to read your password information!) with username "NewUser" as its first entry. You will be prompted for a password for NewUser.

/usr/local/apache/bin/htpasswd /web/.htpasswd AnotherUser
Adds a user "AnotherUser" to your htpasswd. Again, will prompt for a password to set.

require
Defines which users are permitted, given that all access criteria are fulfilled (or not - see satisfy). Either use "valid-user" or "user <user1> <user2>...".

Satisfy
Defines how many criteria must be defined for access to be granted; either "all" or "any".

deny
Hostname or IP address to which access to the directory is not permitted - ie, a correct login and password are required for. Use "all" to to enable login prompt for all hosts. Similar to "allow"; examples given below

allow
Hostname or IP address for which access will always be granted.

order
Can either be "allow,deny" or "deny,allow"; defines whether, by default, deny or allow directives are read first.

Examples of .htaccess authorization

Basic Authentication
This prompts all remote users for a password, reading user data from /web/userfiles/.htpasswd, a file OUTSIDE the web root.

AuthType Basic AuthUserFile /web/userfiles/.htpasswd AuthName "MySite.com Member Area" satisfy any require valid-user deny from all

- required - password file to use - name of realm - without this, access is refused - ..see above - ensure all hosts are prompted

Host-based authentication

order deny,allow deny from all allow from .mysite.com

- deny by default, then allow selected hosts - deny all hosts - allow any users with host *.mysite.com