.htaccess password protection: Securing a folder in a website

Discussion in 'Linux Server' started by gcawood, Nov 10, 2011.

  1. gcawood

    gcawood Administrator Staff Member

    Messages:
    49
    Likes Received:
    19
    Trophy Points:
    0
    If you have any sort of sensitive documentation or private web application that you want to secure behind a username and password field, then .htaccess is a simple and easy way to start. .htaccess is a server side challenge/response security mechanism that is built directly into the web server. It is therefore, more secure than a scripted approach to security that is embedded into any application.

    To use .htaccess, you will need to have access to a web accessible directory. In that directory, you will need to place the following file.

    Making a .htaccess file
    The .htaccess file should be placed inside of the directory that you want to secure. The file should contain the following code.

    Code:
    AuthUserFile /home/username/secrets/.htpasswd
    AuthGroupFile /dev/null
    AuthName "You Shall Not Pass!!"
    AuthType Basic
    
    require user username
    
    The first line "AuthUserFile" is the full server path to your htpasswd file. You will need to edit this line so that it references the correct location of the .htpasswd file. Please note that this is not a URL, this is a server path, and in a Linux file system, will start with a /. You should also not put your .htpasswd file in a web accessible directory!!

    Edit the line that starts with "require user" so that you enter the username of those who you want to give access to.

    This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user xxx with require valid-user.

    The AuthName is the name of the area you want to access. It could say anything, such as "You Shall Not Pass!!". Feel free to change this to whatever you want.

    We are using AuthType Basic because we are using basic HTTP authentication.

    Generating a password file

    There are a bunch of different ways to generate a .htaccess files. However, as this is a Linux Forum, we will show the CLI way of doing it. If you don't have command line access, just google "generate .htpasswd file" and you will be set.

    USAGE: Command -c PATH UserName
    Code:
    htpasswd -c /home/username/secrets/.htpasswd Obama


  2. MustangV10

    MustangV10 New Member

    Messages:
    87
    Likes Received:
    3
    Trophy Points:
    0
    I've used .htaccess before, quite a handy feature in my opinion, I could never make use of it once before since I had a Dynamic IP, have a static now so I can.
  3. ashishagarwal

    ashishagarwal New Member

    Messages:
    1
    Likes Received:
    2
    Trophy Points:
    0
    Why not in a Static IP

    means why didnt you use .htaccess in a static IP?

Share This Page