Apache Htaccess Files

Apache Htaccess Files

The Apache web server allows for per-directory configuration through the use of .htaccess files. The CS configuration allows for many aspects of web server behavior to be configured using these files.

Please note that to be recognized by the web server, the access file name must be correct. The file name is all lower-case, is preceded by a period (.) and has no trailing file extension.

The .htaccess file can control many of the aspects of how the web server display the contents of a directory. A full discussion of the configuration options available can be found on the Apache organization's Htaccess tutorial page. This document will only deal with it's use in restricting access to web accessible files, on a per directory basis.

IP restricted access

To restrict a directory so that it can only be seen by computers within the CS network, create an .htaccess file in the directory with the following lines.

	Require host cs.duke.edu

You can allow access from other departmental networks, individual machines or even outside networks by adding additional hosts to the Require line. Network and machine access can be either by name or by numeric IP. Note that if you add a netowrk, then all subsets of that network automatically have access. Adding duke.edu would automatically allow access from the cs.duke.edu network.

If you want to also allow access from the Duke wireless network, then include this line:

	Require host wireless.duke.local

Additionally, it's possible that some devices within Duke will not be registered in DNS; i.e., their IP address will not map to a text host.domain. If you're trying to be Duke all-inclusive and you wish to also include these for allowed access, then you could make your .htaccess file look more like this: 

	Require host duke.edu wireless.duke.local
	Require ip  152.3 152.16 167.159.64.0/18 10.0.0.0/8

Password protected access

For more detailed information on this subject please see the Apache 2.2 authentication page. You can use .htaccess files to limit access, on a per directory basis, to users who provide a correct username and password. There are currently two methods supported:

  1. Apache Basic Authentication, a built-in method, which will work for any visitor. However this requires more setup and maintenance on the part of the web page maintainer. With the update to Apache 2.4 you will also need to include the following to disable shibboleth inspection of the authentication: 
    shibdisable On
  2. Shibboleth, a method supported by Duke OIT, which allows people to authenticate using their Duke NetID. This method can support a limited list of users as well as allowing access for any person with a valid NetID. Shibboleth is now the preferred method for web-based NetID authentication