University of Minnesota
Computer Science & Engineering Help Pages
/

Disabling directory listing

By default, our web server will display a list of files in a directory if there is no index.html, index.cgi or other index file present. Some users feel this gives out too much information about the contents of their web sites. To turn this option off, create a file in your .www directory called .htaccess if one doesn't exist. Then, add the following line to it:

Options -Indexes

Be sure that your .htaccess file is world-readable. To do this, run the following command from your home directory:

chmod a+r .www/.htaccess

Apache Access Control

A common question from our users is how to restrict a personal web page so that only certain people have access to it. This document describes the simplest way of accomplishing this goal, by creating a .htaccess file in your home directory that tells the web server to only allow access to people who you've given a username and password. This file assumes you have already created your home page as described in the Creating Your Homepage document.

You can restrict access to a directory tree by creating an .htaccess file within the root of the tree. Below is a sample .htaccess file. To create your own, cut and paste this text into a file called .htaccess in your .www directory. For example, with pico, you would type:

% pico ~/.www/.htaccess

Then cut and paste the following text into the pico editor and exit pico:

AuthUserFile /home/xyz/username/.www/.htpasswd
AuthType Basic
AuthGroupFile /dev/null
AuthName "Site Authentication"

<Limit GET POST>
order allow,deny
allow from all
require valid-user
</Limit>

The "require valid-user" will require that any user accessing this directory will need to enter a username and password. These username/password pairs are stored in a separate file specified by the "AuthUserFile" directive. Generally this file is called .htpasswd. Make sure that the /home/xyz/username/.www/.htpasswd above is replaced with the full UNIX path to the .htpasswd file you create.

The .htpasswd file can be created with the htpasswd command. To use the htpasswd program, use the following command:

htpasswd --userid testuser

This program will create a username and encrypted password pair that will be added to the .htpasswd file you defined in the AuthUserFile directive of your .htaccess file.

If you can not find a machine with htpasswd installed, you can use the CS&E Password Hash Generator. This will create the username and password pair that you can then copy and paste into your .htpasswd file.

Please note, the authentication method used here sends passwords in the clear, you should not use your CS&E or CSE Labs password in the .htpasswd file. Choose a different password and be aware that there is some chance of your password being intercepted by malicious hackers.

You can add as many usernames and passwords to the .htpasswd file as you like using this method. When a user tries to access the directory containing the .htaccess file, he/she will be prompted to enter a username and password. Only if he/she enters a valid username and password will access to the site be granted.

The web server runs as user "www", an unprivileged user, just like you, so you must make sure the file permissions are set such that any normal user can read the .htaccess and .htpasswd files. The passwords are encrypted, so this isn't a problem if you choose good passwords. Also make sure the permissions on the directory are at least world executable. If you aren't sure about the above, do the following. (This assumes that your .htpasswd file is in the same directory as your .htaccess file.)

% cd ~/.www 
% chmod 701 .
% chmod 644 .htaccess
% chmod 644 .htpasswd

This document covers only the most rudimentary aspects of authentication and access control. Full information is available from the Apache Tutorial for .htaccess files or Apache's Authentication documentation.

Note: If you want to restrict access to a subdirectory, place the .htaccess file in that subdirectory rather than the document root. Consult apache documentation at www.apache.org for more information.

Contact: 1-201 Keller Hall, 200 Union St SE, Minneapolis, MN 55455   Phone: (612) 625-0876   Email: operator@cs.umn.edu