User Tools

Site Tools


Password protected web directories and other options

It is possible to restrict access to a part of your website. Restrictions could take the form of a password prompt, or access granted only from certain IP addresses.

The .htaccess mechanism

The Apache webserver has a mechanism to set options for a part of a website, by putting a file named .htaccess in the directory for which those options should be set.

Note: directories inherit .htaccess settings from their parent directories, so if you have a password set on ~username/secret , then ~username/secret/too will also be password protected, unless you place a .htaccess file in it which ends the protection.

Another note: the .htaccess file only has effect for access through the webserver. It does nothing to restrict access for local users; use Unix filesystem permissions to achieve that goal (but: somehow you will need to make sure the webserver still has access, not an easy task! See ACLs)

Creating a password file

Make a password file, using the command htpasswd:

htpasswd -c ~/.htpasswd username

where ~/.htpasswd is the file to create (can be anywhere on disk) and username is the username to use for logging in (so this has no necessary relation to your own username!). The command will prompt for a password, and then create a file with the username and the password in encrypted form. You can add multiple users by running the command again without the -c option (which stands for “create”).

Sample .htaccess file

Here is a sample of what to put in .htaccess . Of course you should include the right path to your password file (which doesn't have to be in the web directory).

AuthUserFile /home/user/.htpasswd
AuthGroupFile /dev/null
AuthName "Highly classified information"
AuthType Basic

<limit GET POST>
require valid-user 

Other parts you may want to change:

  • AuthName is the text displayed in the password dialog, so you can change this to something useful (in fact, the protection scheme is not suitable for highly classified information!)
  • In stead of require valid-user you can also use require user username with a specified username or list of usernames. This may be useful if you have one .htpasswd file with multiple usernames, and some users should have access to one part of the site, and other users have access to other parts.

Other options

The .htaccess file can also be used to set some options for the directory, when viewed through a web browser. The most common one is, to grant access to make a directory listing, useful when a directory is meant for downloads. The option to set is:

Options +Indexes

More information about .htaccess files and related options can be found on-line, eg in the Apache htaccess tutorial.

web_pages_options.txt · Last modified: 2015/05/26 13:45 by