Configuring Apache to use a .htaccess file

Just a good step by step on how to configure Apache to use a .htaccess file. I rarely ever use this method except in testing so I always forget.

First, get your web administrator to enable your use of .htaccess files. This requires a stanza in ServerRoot/conf/access.conf like this:

AllowOverride AuthConfig

where /home/webber is replaced by your home directory. Without this, the usual default is AllowOverride None, which means that .htaccess files are ignored. The above stanza allows .htaccess control in all subdirectories of the specified Directory.

Set up a reasonably secure directory for the password (and optionally the group) files. This directory should not be in the web document tree! If it is, someone who can learn or guess the URL of the password file can fetch it and try to crack the passwords. (This refers to visitors from elsewhere on the Internet. There is no simple way to prevent users with accounts on the web server host itself from snooping in the password file, so we will have to settle for security by obscurity and trust them not to try too hard.)
Let us name this directory http-etc by analogy to the Unix /etc directory where the system passwd and group files reside. Place it in your home directory (not in public_html) so that it is outside URL space. Give it permission 701 = rwx-----x meaning you the owner can do anything, and the web server, running as the ordinary user apache, can access the directory but cannot list it (so it must know the file names in advance).1

Continue reading Configuring Apache to use a .htaccess file