Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How-to: password-protect a file/directory in Apache using htaccess
#1

this is a quick howto for setting up protected directories on your newly installed apache webserver (thanks to michael on IRC for help with this).

 

first of all you'll need to decide what directory you want to protect, in the example below we are going to protect a directory called /usr/local/apache/htdocs/private

 

you can also assume in this example that we are serving webpages from /usr/local/apache/htdocs/

 

also to note:

 

http://httpd.apache.org/docs/mod/mod_access.html mod_acess is also required for using .htaccess

 

e.g.



Code:
LoadModule access_module /usr/lib/apache/1.3/mod_access.so




 

ok.. where do we start ?

 

 

STEP one: edit your httpd.conf file

 

first of all you need to edit your httpd.conf file and define a few things, notably you want to tell apache which directory to protect

 

if you compiled apache as in the example here then your httpd.conf file will be located in /usr/local/apache/conf/httpd.conf so using your favorite text editor lets start editing the file and add the following (which you should change for your path)

 

 

 



Code:
<Directory /usr/local/apache/htdocs/private/>
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>




 

 

also make sure your httpd.conf file has the following in it

 



Code:
AccessFileName .htaccess
<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>




 

 

ok done, save your file.

 

 

STEP two: create .htaccess file and put it in the chosen directory

 

Now we need to create a new file and paste the following info into it

 

the file is going to be called .htaccess, please note the . infront of it, that is because it is a hidden file.

 

copy/paste the following text into this new file and Please note: AuthUserFile must include an absolute path so "AuthUserFile .htpasswd" doesnt work if you have .htpasswd in your current directory

 



Code:
AuthName "Authorization required"
AuthType Basic
AuthUserFile /var/www/.htpasswd
AuthGroupFile /dev/null
require valid-user




 

please note that the path /var/www/.htpasswd can change according to where you want it to be, and that at this point, the file .htpasswd does not yet exist.

 

ok, save the file and test to see that it exists by doing a ls with some switches to see hidden files.

 

 

 

 



Code:
[root@www private]# ls
index.html
[root@www private]# ls -alxhs
total 96K
4.0K .  4.0K ..  4.0K .htaccess   84K index.html
[root@www private]#




 

Now you can see the hidden .htaccess file and that it exists.

 

 

STEP three: create a 'apache' virtual user/password file called .htpasswd

 

Ok now we need to actually create a 'virtual' user with a password, this user/pass is not a system user it is only used by apache to give access to the specified directory.

 

 

To create the users lets change directory to where we want the .htpasswd file stored, in the example above its in /var/www/

 

 

 



Code:
cd /var/www




 

Now we are there, lets make the file, to do this we use a program called htpasswd.

 

 



Code:
htpasswd -c /var/www/.htpasswd anyweb




 

It will prompt you for a password, enter it and then confirm it.

 

Once done confirm the file is present (it is hidden remember)

 

 



Code:
[root@www www]# ls -alxhs
total 32K
4.0K .      4.0K ..    4.0K cgi-bin  4.0K error  4.0K html  4.0K .htpasswd
4.0K icons  4.0K mrtg




 

good its there, the file will now contain the username you specified (in this case anyweb) and an encrypted password that looks something like this

 

 

 



Code:
anyweb:ARmbxDd.dE




 

STEP four: edit httpd.conf, add the path to the dir to protect, save, restart apache and test

 

Edit your httpd.conf file (usually in /usr/local/apache/conf if you compiled it)

 

find a section that reads

Quote:## Controls who can get stuff from this server.

#

Order allow,deny

Allow from all

</Directory>
 

and change it so that it includes the path to the directories you want password protected (and which you also copied the .htacess file into the root of)

 



Code:
#
# Controls who can get stuff from this server.
#
  Order allow,deny
  Allow from all
</Directory>

<Directory /usr/local/apache/websites/homedns/cv/>
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

<Directory /usr/local/apache/websites/kicks-ass/personal/family/>
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>




 

save httpd.conf.

 

 

Let's restart apache so that it can read the newly edited httpd.conf file to do so issue the following as root

 



Code:
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl start




 

That's it you are done, now test it by browsing in Mozilla to the 'protected' directory, you should be prompted for a username/password to access it !

Reply
#2

Great howto anyweb :)

I followed this tutorial and used:

httpd-2.0.50

mysql-4.0.20

php-4.3.7

------------------------------

I don't know where I should post this but here..

 

The problem is when I did the fresh install I only have the libphp4.so module on the modules/ directory [img]<___base_url___>/uploads/emoticons/default_dry.png[/img]

I need the mod_access.so module, I did a few searches and this is what I found,



Code:
/usr/local/src/httpd-2.0.50/modules/aaa/mod_access.c
/usr/local/src/httpd-2.0.50/modules/aaa/mod_access.dsp
/usr/local/src/httpd-2.0.50/modules/aaa/mod_access.exp
/usr/local/src/httpd-2.0.50/modules/aaa/.libs/mod_access.al
/usr/local/src/httpd-2.0.50/modules/aaa/.libs/mod_access.la
/usr/local/src/httpd-2.0.50/modules/aaa/mod_access.o
/usr/local/src/httpd-2.0.50/modules/aaa/mod_access.lo
/usr/local/src/httpd-2.0.50/modules/aaa/mod_access.la




Reply
#3

edit the .htaccess file and add

 

<FilesMatch filename.html>

AuthName "username"

AuthType Basic

AuthUserFile /home/userdir/.htpasswd

require valid-user

</FilesMatch>

Reply
#4

hmm i tried this and nothing happened.

 

i wonder what i/m doing wrong

 

see below

 



Code:
<FilesMatch pics2.html>
AuthName "username"
AuthType Basic
AuthUserFile /var/www/.htpasswd
AuthGroupFile /dev/null
require valid-user
</FilesMatch>




 

.htpasswd was previously created so no need to recreate it (i guess)

 

also.. i restarted apache

 

still the same, doesnt prompt for password

 

cheers

 

anyweb

Reply
#5

AuthName grep420.net

AuthUserFile /home/grep420/www/htpasswd

AuthGroupFile /dev/null

AuthType Basic

require valid-user

 

This is an example of a .htaccess file. This will require a password from anyone trying to access the directory this file is located in via the web. When you create your own .htaccess file the AuthName section can be anything you want for the title. AuthUserFile needs to point to the file you are storing your user/password information. You can generate a user/password combination with the htpasswd command. AuthType Basic is probably what you want. The most important part is require valid-user, this is basicly telling apache to ask for a user/password for access.

 

<example>

shell#> htpasswd .htpasswd linux-noob

New password:

Re-type new password:

Updating password for user linux-noob

shell#> cat .htpasswd

linux-noob:OaRnx68rKLt3E

</example>

 

Now by placing your .htaccess file into a web directory it will prompt for a user and a password for access. Make sure you keep the htpasswd file in a secure area.

Reply
#6

Hi all,

 

Just a note to cover a tricky issue some people might have..

 

I followed the above directions on my fc2, apache2 server and nothing happened..

 

So if you try this too and have a simmilar issue, try adding an AllowOverride AuthConfig section to your site... for example my virtualhost below:

 

 

<VirtualHost 202.168.47.66>

DocumentRoot "/var/www/foo"

ServerName www.foo.com.au

<Directory "/var/www/foo">

allow from all

Options +Indexes

AllowOverride AuthConfig

</Directory>

</VirtualHost>

 

 

the .htaccess is located in the /var/www/foo directory and the .htpasswd is one directory higher. Rembember to check your error_log for apache!

 

 

da!!as

Reply
#7

to add better security you can use three types of encryption

 

SHA encryption can be done by:

 



Code:
/usr/bin/htpasswd -cs .htpasswd linux-noob




 

MD5 Sum one way hash can be done by:

 



Code:
/usr/bin/htpasswd -cm .htpasswd linux-noob




 

Crypt encrtion can be done by doing:

 



Code:
/usr/bin/htpasswd -cd .htpasswd linux-noob




Reply
#8
is there any way to set how many times user/pass can be misstyped?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)