Sometimes
it is necessary to have a directory of your website off limits
to the general public. Perhaps you have an area that is
members only, or maybe you have an administrative area that you
don't want other messing with. Using the .htaccess file in
tandem with the .htpasswd file, you can restrict access to that
are of your site. If a visitor tries to access that
particular area, they will be prompted for a username and
password, and will not be allowed access until they can provide
the proper username/password combination.
To set up
password protection on one of your directories you will need to
be able to telnet into your web server. Although, telnet
access isn't required and their are work arounds, this tutorial
will only cover password protection setup via the telnet method.
Below is an
example of a simple .htaccess file:
AuthUserFile /path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Stuff"
AuthType "Basic"
<Limit GET POST>
require valid-user
</Limit>
|
The .htaccess
file will affect any directory it is placed in and override the
pre-configured server settings. Additionally, the .htaccess
file affects folders recursively. For example, if you
password protect a folder on your website located at http://www.website.com/restricted/
by placing this .htaccess in your restricted directory, not only
will the folder restricted be password protected, so will all
the files and folders within the restricted directory.
Back to the .htaccess
file. The first line, beginning with AuthUserFile tells
the web server where it should look to find the
username/password file. You will need to change the
/path/to/... to reflect the path to your password file.
Keep the file name as .htpasswd. The next line down, AuthGroupFile, is similar to the
AuthUserFile, but instead of
being a list of username/passwords, the AuthGroupFile outlines
specific groups that have access to this directory. We'll
talk more about restricting group access in a later
tutorial. For now, by setting the AuthGroupFile to
/dev/null the server interprets that there are no groups
restricted.
The next
line, AuthName is customizable and can be set to display a
message or describe the area that someone is logging into.
As you can see from the password dialog box above taken from
IE5, anything that is included on the AuthName line will appear
in the Realm line. The
require valid-user line in the .htaccess can be left as is.
Now it's time
to create the .htpasswd file. The .htpasswd file is a list
of all the usernames/passwords that have access to the
restricted directory. You will need to telnet into your
web server and change into the directory where you told the
AuthUserFile line of the .htacess file where the .htpasswd file
could be found. To create and new .htpasswd file type at
the command prompt, being sure to change johndoe to be the
username of the account you want to add to the .htpasswd file:
htpasswd -c
.htpasswd econ120c
You will be
prompted for a new password to assign to johndoe, once you enter
it in, you will be prompted to verify it again. If you
need to add additional usernames/password, you can enter in the
same command above, without the -c switch. The -c switch
is used only to create a new .htpasswd file. For example
to add econ120c to your .htpasswd file you would type in and then
follow the prompts for entering in the password:
htpasswd
.htpasswd econ120c
Passwords are
encrypted in the .htpasswd file. A standard .htpasswd file
will look something like this:
econ120c:rngxrrnRhGdFo
econ120c:3lmIn9MHfWkKc
|
This
tutorial outlines a simple method to restrict individual users
from accessing certain areas of your website. Coming soon
we'll discuss some more advance methods of using .htaccess/.htpasswd
to restrict access from certain IP address and certain groups.
|