Question:
How do I password-protect directories on my Web site?
Answer:
All you need to do for this is create a .htaccess in the directory with the proper configuration commands and create the password file.
Software:
Apache 1.3.X
Detail:
In certain circumstances, you may want to restrict access to certain areas of your Web site to one person or a specific group of people. This section will show you how to restrict access to a certain directory based on a user name and password. You can also allow or deny access to areas of your Web site based on the IP address of the computer that is trying to access the site. Restricting access is a simple process that is done from the command prompt. If you’re using Microsoft FrontPage, there’s an even easier way to restrict access, which is explained in the FrontPage documentation.
Suppose you want to restrict access to the admin directory that you just created in your document root (/www/vhosts/domain.com/htdocs/). The key to restricting access to specific directories is a file called .htaccess. A .htaccess file contains instructions about who can and cannot access files in a certain directory, and its instructions apply to that directory and all directories below it. Depending on what you put in the .htaccess file, you can allow or deny many types of access. The following sections describe the main types of access restriction.
Solution:
The simplest and most common form of access restriction is to define a user name and password that your server will require in order for someone to access the directory through a Web browser.
For this example, you'll restrict access so that the user name "userA" and the password "passwordA" are required in order to access the admin directory for the vhost domain.com.
The first step in basic password restriction is to use the htpasswd command to create a password file containing an encrypted, or scrambled, version of the password. Although any writable directory will do, it is suggested that you place the password file within the virtual host outside of the cgi-bin and htdocs directories, e.g. /www/vhosts/domain.com/.
Now, use the htpasswd command with the –c option to create a new password file. You only need to use the –c option if you're creating a new password file, which this example shows. For this example, we will call the new password file "example.pwd," although the name can be anything that is meaningful to you. To use the htpasswd command, you need to type the command, followed by the appropriate option, then the file that will contain the encrypted password, and then the user name you wish to add to the password file. To do this for "userA" type:
> htpasswd -c example.pwd myuser
You'll be prompted to enter a password twice. For this example, use passwordA as the password for this user. When you're done, a file called example.pwd will have been created in the current directory. If you would like to see what it looks like, type
> more example.pwd
and the inside will appear something like:
userA:x2i8Pk9WufYJ
The garbled text next to the user name is actually the password you chose, but it's understandable only by your server. This helps protect your password from being discovered by unauthorized persons. It's important to remember that the -c option shown above should only be used when creating a new password file. If you want to add another entry to an existing password file, you need to omit the -c option, or you'll delete the existing password entries in the file.
Now that you have successfully created the password file, you're ready to create the .htaccess file. First, be sure you're in the directory that you want to protect, then enter the command:
> pico -w .htaccess
This will start the pico editor and create a new file called ".htaccess." Using the editor, carefully type the following lines:
AuthUserFile /usr/local/www/vhosts/domain.com/example.pwd
AuthName "Administrative Area"
AuthType Basic
<Limit GET>
require valid-user
</Limit>
The "AuthUserFile" line tells the Web server where the password file that protects this directory is located. The "AuthName" line contains the text that will be displayed in the password box that pops up in your Web browser when you try to access this page. Note that the AuthName must be surrounded in quotes. The "AuthType" should always be set to Basic. The "Limit" area contains the specific instructions as to how you want to limit access to this directory. First of all, you're limiting "GET" access, which is the standard way in which Web browsers "get" files from a Web server. The “require” keyword indicates that the only type of user allowed is “valid-user” or a correct user-password pair. If you want a single user, then “valid-user” can be replaced with “user userA”. But as this user would fall under the “valid-user” entry it is more efficient to simply use the generic definition.
After typing all this in, be sure to press Enter a couple of times at the end of these lines. When you're done, press Ctrl+X, Y, Enter to save the file and to exit the editor, and you're finished.
From now on, when you try to access this directory through your Web browser, you will be required to enter the specified user name and password.