Using .htaccess & htpasswd To Protect Your Files From Unauthorized Access
using telnet or ftp
WARNING: Be very careful editing your server configuration or .htaccess files.
Even a minor typographical error can make your site unusable!
Always make a backup copy of any file so you can recover quickly.
It is possible there are parts of your site which you would prefer that not just anyone have access to.
Maybe, for instance, you have a family photo album on line that you want only your family to see.
Installing the .htaccess involves a few steps.
The most important thing is to make sure you do not install the .htaccess file in your main web directory.
If you do, everyone will be locked out of your website.
Unless this is what you want to do, make sure you create the directory and are located in it before creating the file.
Before taking you through the steps of setting up this protection scheme, please take a moment to look at some things you should know.
- Nothing in life is truly secure. There may be holes in this system.
- The user name and password are transmitted as plain, readable text, they are not encrypted.
- If a user knows about subdirectories under the protected directory- security can be breached if the subdirectories are not also protected.
- If you plan on giving passwords to people, keep in mind that it is an extra maintainence function for you to perform.
- Step 1: See where you are. At your prompt enter the command pwd to see what directory you are in.
If you already have made your new directory and are in it- go to Step 3.
- Step 2: issue the command mkdir dirname where dirname is what you want to call the directory you will be protecting.
Then enter the command cd dirname
- Step 3: Using an editor such as vi or pico, create a file called .htaccess that looks just like this:
AuthName "The Secret Page"
<Limit GET POST>
- Step 4: Change the AuthUserFile so that the UNIX PATH matches that of your system, where the password file that we will create in a moment will reside.
Above is an example of a htpasswd file which can live in any location within the server.
This is an example of a htaccess file that lives in a sub directory where the access will be granted or limited.
- Step 5: (skip if not using multiple users)Change the AuthGroupFile to the name of a group that you speicify. AuthGroupFile /dirname/.htgroup
You will also have to create a .htgroup file listing authorised persons to use this. And change these lines:
require group people
Changing the word "people" for the name you wish to call the group.
- Step 6: Change The Secret Page to be whatever title you want to have appear on the password box.
The pop up box will look like this:
- Step 7: To create the password file, issue the following command: (NOTE: you only do it this way to create
a new file) htpasswd -c .htpasswd user_name (where user_name is a name)
If you get a message like, htpasswd: not found enter the command type htpasswd.
If that doesn't do the trick, try which httpd. If htpasswd is not in your path, you
will have to add that directory to your path or enter the command as /what/ever/dir/htpasswd -c user_name
That is all there is to it! If you experience any unexpected problems, or you change your mind about restricting access, just
issue the command: rm .htaccess
- Step 8: The system will ask you to enter the password for this user.
It will then ask you a second time to confirm your typing.
- Step 9: Continue to add new users, but with this version of the command. htpasswd .htpasswd new_name
The -c option is only for the initial creation of the file.
The first thing to do is set up a file called htaccess.txt and place it in the directory you wish to protect.
NOTE: Files begining with a "." may not show in in your FTP program. You must use note pad to write them, and then save them as "htaccess.txt", "htpasswd.txt", or "htgroup.txt" ect. in your own website file on your HD in the same directory of where you are putting it on your website.
When you are ready, upload it as a ".txt" file. Then to activate it, you must change the name to a "." prefix, and eliminate the ".txt" extension at the end. (example: ".htaccess") When you do this, it may disappear from your view, but rest assured it is there, and you know where it is, and what it says, because you saved a copy of it on your HD.
It looks something like this:
require user joe
You must rename dirname on this line to what you wish to call the directory you will put this file in.
(Remember it's important to keep the password file in another directory.)
Here is the meaning of each line broken down:
- AuthUserFile /dirname/.htpasswd tells the server that it will find the file containing the passwords (.htpasswd) in the directory called dirname.
This is an example of a relative path residing one down, or in a sub directory of the password protected directory.
To create a htpasswd file which can live in any location within the server, use the full path: /usr/public_html/dirname/.htpasswd.
- AuthGroupFile /dev/null tells the server where to find the group file.
You only need a group file if you have multiple usernames and passwords.
The line with /dev/null means this file doesn't exist.
To use a group file, add the path so it looks like:
- AuthName joe specifies the name that shows up when the browser asks the user to enter a password.
You can really use any name to describe it like: AuthName "The Secret Page"
- AuthType Basic describes the type of authentication we're using.
In this case, it's Basic (as in HTTP Basic Authentication).
- <Limit GET> require user joe </Limit>
GET is an HTTP request for a file that is sent by a browser to a server.
This line limits the power of GET by saying that only the user "joe" may look at files in this directory.
You may also add POST:
<Limit GET POST> require user joe </Limit>
You may avoid groups to save having to make a htgroup file, and add just a couple of users:
require user joe
require user dave
Now make your htpasswd.txt file look like:
Rename dirname and upload it to the directory that you specified above. Then save a copy as reminded in the grey box above, and change the name to .htpasswd.
To allow multiple users in a directory, you can use the example in the telnet section.
Then make your htpasswd.txt file look like:
*note: It is strongly suggested you encrypt your passwords. To do that, GO HERE
and your htgroup.txt file look like:
groupname: jim dave jake jill sue
You may have more than one group in your htgroup.txt file:
groupname: jim dave jake jill sue
2ndgroupname: george mary kim
Back to HTACCESS
- Account Log ins
Control Panel Sample
- Getting Started
Chosing a Password
Anti Spam Tips
- Creating Databases
- Unix Commands
Telnet / SSH