.htaccess password protection: Securing a folder in a website

Discussion in 'Linux Server' started by gcawood, Nov 10, 2011.

  1. gcawood

    gcawood Administrator Staff Member

    Oct 28, 2011
    Likes Received:
    If you have any sort of sensitive documentation or private web application that you want to secure behind a username and password field, then .htaccess is a simple and easy way to start. .htaccess is a server side challenge/response security mechanism that is built directly into the web server. It is therefore, more secure than a scripted approach to security that is embedded into any application.

    To use .htaccess, you will need to have access to a web accessible directory. In that directory, you will need to place the following file.

    Making a .htaccess file
    The .htaccess file should be placed inside of the directory that you want to secure. The file should contain the following code.

    AuthUserFile /home/username/secrets/.htpasswd
    AuthGroupFile /dev/null
    AuthName "You Shall Not Pass!!"
    AuthType Basic
    require user username
    The first line "AuthUserFile" is the full server path to your htpasswd file. You will need to edit this line so that it references the correct location of the .htpasswd file. Please note that this is not a URL, this is a server path, and in a Linux file system, will start with a /. You should also not put your .htpasswd file in a web accessible directory!!

    Edit the line that starts with "require user" so that you enter the username of those who you want to give access to.

    This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user xxx with require valid-user.

    The AuthName is the name of the area you want to access. It could say anything, such as "You Shall Not Pass!!". Feel free to change this to whatever you want.

    We are using AuthType Basic because we are using basic HTTP authentication.

    Generating a password file

    There are a bunch of different ways to generate a .htaccess files. However, as this is a Linux Forum, we will show the CLI way of doing it. If you don't have command line access, just google "generate .htpasswd file" and you will be set.

    USAGE: Command -c PATH UserName
    htpasswd -c /home/username/secrets/.htpasswd Obama
  2. MustangV10

    MustangV10 New Member

    Nov 11, 2011
    Likes Received:
    I've used .htaccess before, quite a handy feature in my opinion, I could never make use of it once before since I had a Dynamic IP, have a static now so I can.
  3. ashishagarwal

    ashishagarwal New Member

    Nov 14, 2012
    Likes Received:
    Why not in a Static IP

    means why didnt you use .htaccess in a static IP?
  4. grvvash

    grvvash New Member

    Jun 30, 2016
    Likes Received:
    Wow thanks for sharing such a great article, i am looking seriously for .htacess password from many weeks and find this one very useful

Share This Page