Sometimes you are using someone else’s web server, for example, a paid hosting service. That someone else may not want you mucking about with their web server configuration. There are still configuration opportunities however. By including a file called .htaccess in your served directory (one .htaccess file for each served directory), you can specify some things that customize web server behavior for that directory.

Make sure that your .htaccess file is readable. I found that file permissions can mess with effectiveness.

Also note that there are (at least) two different formats for .htaccess. This is dependant on the version of Apache that is being used. I don’t know how to query the service if you don’t have direct access to it to find out which version it is using. When I used the wrong format, I got Forbidden 403 errors. Finding documentation is especially confusing thanks to this multiplicity of possibilities. I found this helpful for "current" versions of Apache:

Here, for example is my .htaccess file for my help notes. This allows text files to be served as text files, while files with no extension are served as html.

#Chris' .htaccess for Help Files
# Files with no extension are served as HTML.
# Files ending in .txt are served as text.
# Files ending in .html are served as HTML.

<Files .htaccess>
order allow,deny
deny from all

<Files ~ "^[^.]*$">
    ForceType text/html

<Files *.txt>
    ForceType text/plain

<Files *.html>
    ForceType text/html

Here’s an even more enthusiastic one for my resume where the files are named things like ps so that the URL is xed.ch/resume/ps.

<Files "pdf">
    ForceType application/pdf
<Files "txt">
    ForceType text/plain
<Files "html">
    ForceType text/html
<Files "roff">
#   ForceType application/x-troff
    ForceType text/plain
<Files "ps">
    ForceType application/ps
<Files "rtf">
    ForceType application/rtf

Password Protection

The .htaccess file can also be used to provide a bit of security with mod_auth (I think). Here is a .htaccess file I use to implement a password protected directory.

AuthUserFile /var/www/somedir/private/.htpasswd
AuthType Basic
AuthName "Chris' Private Folder"
Require valid-user

The .htpasswd file is generated by the htpasswd command.


To enable files in a directory to be executed as CGI programs use the following .htaccess.

Options +ExecCGI
AddHandler cgi-script cgi py pl

# Or to make all files in the directory active CGI programs.
#SetHandler cgi-script


If you need the traffic of your web server to be encrypted, you need a certificate. This is a notorious pain and usually costs money. Here is a very nice idea that is supported by the EFF and a lot of important browsers.


I would look at this first.


Ubuntu’s Apache configuration is a bit baroque but reasonable once you get the hang of it. Most things in /etc/apache/apache2.conf are just sourcing other things. Which things get sourced are configured by linking "available" things into the "enabled" directories. This applies to modules (mods-available) and virtual hosts (sites-available).

On Ubuntu, httpd.conf is pretty much empty and the end user can put whatever special things make the site special in there. But note that it might not be in the right order or context there. It does get sourced though and is a convenient place to put some stuff.

Normally to change the behavior of the default served directory, edit /etc/apache2/sites-enabled/000-default which will contain:

    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all

This also indicates where the default web documents (document root) is, /var/www.

Directory Structure of Ubuntu’s Apache Configuration
    |-- apache2.conf
    |-- conf.d
    |     |-- charset
    |     |-- localized-error-pages
    |     \-- security
    |-- envvars
    |-- httpd.conf
    |-- magic
    |-- mods-available
    |     |-- cgi.load
    |     |-- dav.load
    |     |-- dbd.load
    |     |-- imagemap.load
    |     |-- include.load
    |     |-- info.conf
    |     |-- info.load
    |     |-- ldap.load
    |     |-- ssl.conf
    |     |-- ssl.load
    |     |-- status.conf
    |     |-- status.load
    |     |-- suexec.load
    |     |-- userdir.conf
    |     |-- userdir.load
    |     |-- version.load
    |     \-- vhost_alias.load
    |-- mods-enabled
    |     |-- cgid.load -> ../mods-available/cgid.load
    |     |-- status.conf -> ../mods-available/status.conf
    |     \-- status.load -> ../mods-available/status.load
    |-- ports.conf
    |-- sites-available
    |     |-- default
    |     \-- default-ssl
    \-- sites-enabled
        \-- 000-default -> ../sites-available/default

How to check to see what modules and virtual hosts are active

# APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data /usr/sbin/apache2 -t -D DUMP_MODULES -D DUMP_VHOSTS