2004-05-11, 12:49 PM
(This post was last modified: 2012-01-08, 02:19 PM by Dungeon-Dave.)
this is a quick howto for setting up protected directories on your newly installed apache webserver (thanks to michael on IRC for help with this).
first of all you'll need to decide what directory you want to protect, in the example below we are going to protect a directory called /usr/local/apache/htdocs/private
you can also assume in this example that we are serving webpages from /usr/local/apache/htdocs/
also to note:
http://httpd.apache.org/docs/mod/mod_access.html mod_acess is also required for using .htaccess
e.g.
Code:
LoadModule access_module /usr/lib/apache/1.3/mod_access.so
ok.. where do we start ?
STEP one: edit your httpd.conf file
first of all you need to edit your httpd.conf file and define a few things, notably you want to tell apache which directory to protect
if you compiled apache as in the example here then your httpd.conf file will be located in /usr/local/apache/conf/httpd.conf so using your favorite text editor lets start editing the file and add the following (which you should change for your path)
Code:
<Directory /usr/local/apache/htdocs/private/>
AllowOverride All
Order allow,deny
Allow from all
</Directory>
also make sure your httpd.conf file has the following in it
Code:
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
ok done, save your file.
STEP two: create .htaccess file and put it in the chosen directory
Now we need to create a new file and paste the following info into it
the file is going to be called .htaccess, please note the . infront of it, that is because it is a hidden file.
copy/paste the following text into this new file and Please note: AuthUserFile must include an absolute path so "AuthUserFile .htpasswd" doesnt work if you have .htpasswd in your current directory
Code:
AuthName "Authorization required"
AuthType Basic
AuthUserFile /var/www/.htpasswd
AuthGroupFile /dev/null
require valid-user
please note that the path /var/www/.htpasswd can change according to where you want it to be, and that at this point, the file .htpasswd does not yet exist.
ok, save the file and test to see that it exists by doing a ls with some switches to see hidden files.
Code:
[root@www private]# ls
index.html
[root@www private]# ls -alxhs
total 96K
4.0K . 4.0K .. 4.0K .htaccess 84K index.html
[root@www private]#
Now you can see the hidden .htaccess file and that it exists.
STEP three: create a 'apache' virtual user/password file called .htpasswd
Ok now we need to actually create a 'virtual' user with a password, this user/pass is not a system user it is only used by apache to give access to the specified directory.
To create the users lets change directory to where we want the .htpasswd file stored, in the example above its in /var/www/
Code:
cd /var/www
Now we are there, lets make the file, to do this we use a program called htpasswd.
Code:
htpasswd -c /var/www/.htpasswd anyweb
It will prompt you for a password, enter it and then confirm it.
Once done confirm the file is present (it is hidden remember)
Code:
[root@www www]# ls -alxhs
total 32K
4.0K . 4.0K .. 4.0K cgi-bin 4.0K error 4.0K html 4.0K .htpasswd
4.0K icons 4.0K mrtg
good its there, the file will now contain the username you specified (in this case anyweb) and an encrypted password that looks something like this
Code:
anyweb:ARmbxDd.dE
STEP four: edit httpd.conf, add the path to the dir to protect, save, restart apache and test
Edit your httpd.conf file (usually in /usr/local/apache/conf if you compiled it)
find a section that reads
Quote:## Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
and change it so that it includes the path to the directories you want password protected (and which you also copied the .htacess file into the root of)
Code:
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
<Directory /usr/local/apache/websites/homedns/cv/>
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /usr/local/apache/websites/kicks-ass/personal/family/>
AllowOverride All
Order allow,deny
Allow from all
</Directory>
save httpd.conf.
Let's restart apache so that it can read the newly edited httpd.conf file to do so issue the following as root
Code:
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl start
That's it you are done, now test it by browsing in Mozilla to the 'protected' directory, you should be prompted for a username/password to access it !