29.16. Editing .htaccess Files
As explained in the introduction, Apache options can be set for a directory by creating a file in the directory named .htaccess. These are often created by normal users who do not have permission to edit the master web server configuration file and want to change the way Apache behaves when accessing their directories. .htaccess files can be used to set almost all of the options that you can configure on a per-directory basis, as explained in other sections of this chapter.
The options in one of these files apply to all the files in its directory and in any subdirectories. They can, however, be overridden by another such file lower down in the directory tree. Per-directory options in the main Apache configuration will be overridden by those in a .htaccess file for the same directory, but directory options for a subdirectory will override those in a parent .htaccess file!
Webmin can be used to create and edit .htaccess files, as well. If some already exist on your system that were created manually, they must be discovered by Webmin before you can use it to edit them. To have Webmin search for existing files on your system, follow these steps:
To edit the options set in a file, just click on its path from the Per-Directory Options Files list. This will bring up a page similar to the directory options page shown in Figure 29.5. You can click on the icons to edit redirects, username and password access control, IP address restrictions, MIME types, and custom error messages. The instructions in previous sections that apply to directories can be followed here as well. The only difference is that you do not have to use the Apply Changes link after making changes, as Apache always rereads the .htaccess files that it encounters on every request.
You can also create a new .htaccess file by entering the path to the directory in which it should be created into the field next to the Create Options File button. When the button is clicked, the file will be created empty and have its ownership set to the user and group configured on the user and group page of the default server. It will be added to Webmin's list of known options files and your browser will be redirected to the options file for the page.
To delete a per-directory options file, click on the Delete File link that appears at the top of the page that appears when you click on its name from the list. As soon as it is removed, Apache will cease using any options that it defines for the directory in which it resides.
Section 29.6 “Setting Per-Directory Options” earlier in this chapter explains how to set options that apply only to files of a particular name, no matter what directory they are in. It is also possible for a .htaccess file to contain options that apply to only some of the files in the directory that contains it. This can be useful for doing things like denying access to all files matching the pattern *.c in the directory /usr/local/src, which you cannot do just by using per-directory or per-file options.
To set options like this, follow these steps:
1. | On the module's main page, click on the Per-Directory Options Files icon. Then, click on the .htaccess file in the directory to which you want the options to apply. If it doesn't yet exist, use the Create Options File button to create it as explained in the previous instructions. |
2. | Scroll down to the Create Per-File Options form and enter the filename or pattern into the Path field. Patterns can only use shell wildcard characters like * and ?, unless you change the Regexp? field to Match regexp, in which case you can enter a Perl regular expression using characters like |, [, ], and +. |
3. | When you click the Create button, the same page will be redisplayed but with an additional icon for the filename or name pattern that you just entered. |
4. | Click on the new icon, which will bring up another page of icons for different categories of options that can be applied to files whose names match the specified filename or pattern. This page is very similar to the directory options page shown in Figure 29.5, and the pages that it links to are mostly identical. |
5. | The instructions in other sections of this chapter for creating redirects, custom error messages, or IP access control can be followed on this page as well to set the same options for matching files in the directory. The only difference is that there is no need to click on the Apply Changes link to make new settings active. |
You can change the filename or pattern for which the options are saved by editing the Path field in the Options apply to form and then clicking Save. You can also remove them altogether so that the options for the directory apply instead by clicking on the Delete button in the same form.
On a system that has many virtual websites run by untrusted users, you may want to restrict the directives that those users are allowed to enter into .htaccess files. This can also be useful if you have user web directories enabled, which is explained in Section 29.17 “Setting Up User Web Directories”. It is possible for a user to enable CGI scripts for his directory by putting the right directives into an options file, which could pose a security risk on your server.
You can restrict the directives that can be used in .htaccess files on a per-directory basis. To do this, follow these steps:
1. | On the main page of the Apache Webserver module, click on the icon for the virtual server under which the directory resides. |
2. | Click on the icon for the directory in which you want to restrict .htaccess files or, if one does not exist yet, follow the instructions in Section 29.6 “Setting Per-Directory Options” to create it. |
3. | Click on the Document Options icon. |
4. | In the Options file can override field, select the Selected below radio button. Then deselect those categories of directives in the table provided that you don't want users to be able to include in .htaccess files. The available categories are: Authentication options Deselect this option to prevent the use of directives related to password authentication. MIME types and encodings Deselect this option to prevent the setting of MIME types, character sets, encodings, and languages for files. This will also stop files with certain extensions being indicated as CGI programs. Indexing and index files This option controls the use of directives for directory indexing. Hostname access control Deselect this option to stop the use of IP access control directives. Directory options This option controls the use of directives that set options for the directory, such as whether indexing is done and if CGI programs are enabled. |
5. | Click the Save button and then the Apply Changes link. |
Whenever a user tries to use directives that he is not allowed to use, Apache will display an error message when files in the directory containing the .htaccess file are requested. It will not simply ignore the disallowed directives.