Changes to .htaccess

The syntax of various statements in .htaccess files has changed and some statements are not needed anymore.

Log in to via ssh to run any of the commands below.

Find .htaccess Files to Modify

To find all .htaccess file that needs to be modified run the following command:


This will report the file and line number of any control statement that you need to have a look at.

Changed Syntax

Access control statements now generally use the require statement, order, allow and satisfy needs to be converted as follows:

Old Change to this
order deny,allow
deny from all
require all denied
order allow,deny
allow from all
require all granted
allow from require host
allow from require ip
satisfy any wrap all require lines between <RequireAny></RequireAny>
satisfy all wrap all require lines between <RequireAll></RequireAll>


Previously kerberos and LDAP based authentification had to be completely set up in .htaccess files. Now authentication via ETH password for web applications (LDAP) is preconfigured and only needs to be activated. All that is needed is the following:

AuthType basic
AuthName "Some description"

Use require ldap-user user1, user2, ... to grant access to individual users. If you have multiple requires then wrap them in <RequireAny></RequireAny>.

If you want to use files listing users or groups instead then also add the following lines:

AuthBasicProvider ldap file
AuthUserFile /home/yourlogin/userfile
AuthGroupFile /home/yourlogin/groupfile

For security reasons do not place the user and group file in the public_html folder. To ensure that only the web server can also read the files use the web_allow_access command (web_allow_access for help) with these files as arguments.

When switching from kerberos to LDAPS make sure that you strip all @D.ETHZ.CH from users and groups.


Page URL:
© 2022 Eidgenössische Technische Hochschule Zürich