Protecting Web Server Directories with Passwords
This article will describe how to protect directories and files with a password with the help of the .htaccess file under the Apache web server.
Creating a .passwd File
So that the directories and files can be protected under Apache web server, a file that will contain the password data is required. For this, the file is best not created in the web server’s DocumentRoot directory (for example, /var/www. From here, the file can be read through the Internet.), but rather in the /root directory.
vps140:~# htpasswd -cs .passwd testuser New password: Re-type new password: Adding password for user testuser vps140:~#
The -c flag causes a new file to be created. The -s flag forces the password to be encrypted using Secure Hashing Algorithm (SHA).
The file can be viewed using the cat command.
vps140:~# cat .passwd testuser:{SHA}RcVxoVbdzvQTUacTvN3uW6fpVGA=
Creating the .htaccess File
To provide directories and files with password protection under Apache web server, an .htaccess file can be created in the corresponding directory (using the nano editor, for example), which will then enable password protection. The following example assumes that the websvn directory located in the web server’s DocumentRoot directory should be protected by a password.
vps140:/var/www/websvn# nano .htaccess
The file will appear as follows:
AuthType Basic AuthUserFile /root/.passwd AuthName "websvn" order deny,allow allow from all require valid-user
The AuthUserFile line indicates where the .passwd file, which will be used for authenticating the user during login, will be found. The require valid-user line makes it possible to specify who should have access the directories and files. With valid-user, one indicates that all users stored in the .passwd file will receive access to the directories and files. (If only certain users should have access, that can be indicated here by require testuser, for example.)
Adjusting the File using VirtualHost
So that the settings will take effect, the AllowOveride option must be changed rom None to All in the file using the corresponding VirtualHost under the DocumentRoot directory (/var/www/).
vps140:/etc/apache2/sites-available# nano default NameVirtualHost * <VirtualHost *> ServerAdmin webmaster@localhost DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place RedirectMatch ^/$ /apache2-default/ </Directory> . . .
Accepting the Settings
So that the setting will be accepted by the web server, it need merely be re-started afterwards.
vps140:~# /etc/init.d/apache2 restart Forcing reload of web server (apache2)... waiting . vps140:~#
Result
If someone wants access to the web site, a window will appear for authentication purposes.
Links
- .htaccess (en.wikipedia.org)
Author: Florian Hettenbach