February 22, 2015
Restricting Access to Your Files and Directories via HTAccess Authentication
This tutorial covers Basic user authentication using HTAccess. Authentication denies web access to files, unless the visitor has a valid username and password. This feature allows webmasters, like yourself, to restrict access to certain directories. The usernames and encrypted passwords are kept in a webmaster-maintained file.
You will need the following basic skills:
An ability to Telnet into your Server using the provided telnet account..
A very basic working knowledge of the Unix shell commands (cd, mkdir, etc.) Once in you may type help at the prompt for a complete list of commands.
Let’s suppose you want to restrict files in a directory called turkey to username pumpkin and password pie. Here’s what you do:
With any text editor (e.g. notepad), create a file called .htaccess. The file should look like this: Obviously substitute the user name in the example below with your user name and make certain that you have already created the folder called turkey on your server or the folder name you need to password protect and also substitute the turkey dorectory in the path below with yours..
require user pumpkin
FTP your new .htaccess file to the directory turkey on your server.
In the above .htaccess file, AuthUserFile points to the directory which contains the password file. In this case, we named the password file, .htpasswd. AuthUserFile must specify the full Unix pathname of the password file. The full server the full path would be, /usr/www/htdocs/username/turkey/.htpasswd. For this example, we chose to place the .htpasswd in the turkey folder and the htaccess in the same folder.. Note that the password file can be placed in any folder just as long as the paths are correct in the htaccess file. Simply FTP the .htaccess file in the turkey folder.
AuthGroupFile: In this case there is no group file, so we specify /dev/null (the standard Unix way to say “this file doesn’t exist”).
AuthName can be anything you want. The AuthName field gives the Realm name for which the protection is provided. This name is usually given when a browser prompts for a password (i.e. the Authentication Dialog Box pops up). It is also usually used by a browser in correlation with the URL to save the password information you enter so that it can authenticate automatically on the next attempt to enter the restricted directory. Note: You should set this to something, otherwise it will default to ByPassword, which is both non-descriptive and too common.
AuthType should be set to Basic, since we are using Basic HTTP Authentication. Other possibilities for NCSA HTTPd 1.5 are PEM, PGP, KerberosV4, KerberosV5, or Digest. A discussion of these types of authentication can be found if you do a search on any search engine.
Now lets create a password file….
Next, create the password file, which in this case is .htpasswd.
The easiest way to do this is to use the htpasswd program distributed with NCSA HTTPd.
To do this, telnet into the server, and change to the turkey directory providing that you already created the directory perhaps through an FTP program first.
Once into your account via telnet, at the command line, type:
htpasswd -c /usr/www/htdocs/username/turkey/.htpasswd pumpkin
It will then prompt you for a password you want to use..
Next, you type the password, which is this example is pie. Again press the enter key. You will be prompted to enter the password again for verification. The the file is created in the turkey folder.
If you view the resulting .htpasswd file, it should look like this or similar:
The carachters next to the word pumpkin are encrypted to stand for the password “pie” :)))
Important Note: be sure that the file path and the filename are the same in both the .htaccess file that you create and in the htpasswd file that you create.
That’s it. Any files that you place in your turkey directory now require Basic Authentication to access. Now when you try to access this directory, your browser should demand a username and password. Enter pumpkin in the username field, and pie in the password field. If you are using a browser that doesn’t handle authentication, you will not be able to access the document at all.
Note, also, that the .htaccess file restricts access to any sub directory of the directory in which the .htaccess file resides. Hence, any visitor requesting ~/turkey/nextdirectory would be presented with an authentication request, unless ~/turkey/nextdirectory had a .htaccess file of its own.
Note that to add more users in the future, use the htpasswd program again but without the -c switch: For example, htpasswd /usr/www/htdocs/username/turkey/.htpasswd bob
will add username “bob” to your .htpasswd file.
To delete users, open the .htpasswd file in a text editor and delete the appropriate lines. You will need to use the -al command to view the hidden file in the folder. You can do that via an FTP client like Filezilla.