WARNING: Be very careful editing your server configuration
or .htaccess files. Even a minor typographical error can
make your site unusable! Always make a backup copy of any file so you
can recover quickly.
USING .HTACCESS & HTPASSWD TO PROTECT YOUR FILES FROM
UNAUTHORIZED ACCESS
It is possible there are parts of your site which you
would prefer that not just anyone have access to.
APACHE and other web servers provide a system
that you can use to control access to certain directories
on your website. You might have a family photo album on line
that you want only your family to see. No matter what your
little secret is, I will show you how to help keep private
things a little more private.
I am sure that in your surfing around on the 'Net you have every
once in a while run into:
not a real screen!
This is not JAVA or CGI-BIN, but something that is very easy
to implement- even for a newer web author. The .htaccess
feature of your server is activated simply by placing a small
file in the directory you want to protect. Guess what the file
is called? Yes, you're correct! .htaccess
Before taking you through the steps of setting up this protection
scheme, please take a moment to look at some things you should know.
Nothing in life is truly secure. There may be holes
in this system.
The user name and password are transmitted as plain, readable
text, they are not encrypted.
If you plan on giving passwords to people, keep in mind that
it is an extra maintainence function for you to perform.
To setup .htaccess you must be able to access your server
using telnet, this cannot be done using FTP.
If you do not have telnet access to your site, check your
provider's FAQ or reference pages to see if they have a
script you can use for setting passwords.
Setting up an .htaccess Protected Directory
Installing the .htaccess involves a few steps. The most
important thing is to make sure you do not install the .htaccess
file in your main web directory. If you do, everyone will be
locked out of your website. Unless this is what you want to do,
make sure you create the directory and are located in it before
creating the file.
Step 1: See where you are. At your prompt enter the command
pwd to see what directory you are in. If you already have
made your new directory and are in it- go to Step 3.
Step 2: issue the command mkdir dirname where dirname
is what you want to call the directory you will be protecting. Then
enter the command cd dirname
Step 3: Using an editor such as vi or pico,
create a file called .htaccess (lower case letters of course-
with the leading period) that looks just like this:
AuthUserFile /usr/www/dirname/.htpasswd
AuthGroupFile /dev/null
AuthName "The Secret Page"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
Step 4: Change the AuthUserFile so that the
UNIX PATH matches that of your system. This is where the
password file that we will create in a moment will reside.
Step 5: Change The Secret Page to be whatever
title you want to have appear on the password box.
Step 6: To create the password file, issue the
following command: (NOTE: you only do it this way to create
a new file)
htpasswd -c .htpasswd user_name (where user_name is a name)
If you get a message like, htpasswd: not found enter the
command type htpasswd. If that doesn't do the trick, try
which httpd. If htpasswd is not in your path, you
will have to add that directory to your path or enter the command
as /what/ever/dir/htpasswd -c user_name
Step 7: The system will ask you to enter the
password for this user. It will then ask you a second
time to confirm your typing.
Step 8: Continue to add new users, but with this
version of the command. The -c option is only for
the initial creation of the file.
htpasswd .htpasswd new_name
That is all there is to it! If you experience any unexpected
problems, or you change your mind about restricting access, just
issue the command:
