SOHO : Small Office Home Office
Freeware - Opensource software tips, tricks, tweaks & fixes for managing, securing, improving the performance of SOHO Desktop, Laptop, Networks

Sunday, February 21, 2010

How to use .htaccess and .htpasswd files for basic authentication

steps to password protect a folder with .htaccess
  1. create .htaccess file
  2. create .htpasswd file
  3. edit httpd.conf file
Creating .htaccess file
Create a file with below text as guide and save it as .htaccess. Place this in the folder which has to be protected. The .htaccess file also protects subdirectories of the directory in which it is placed.
AuthUserFile /var/www/html/private/.htpasswd AuthGroupFile /dev/null AuthName "My Private Directory" AuthType Basic
require user username
  • AuthUserFile is the absolute path to the .htpasswd file 
  • require user is where you enter the username of those who you want to have access to that portion of your site. Note that using this will allow only that specific user to be able to access that directory. This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user xxx with require valid-user
  • AuthName is the name of the area you want to access. It could anything, such as "EnterPassword". You can change the name of this 'realm' to whatever you want, within reason. 
  • AuthType Basic because we are using basic HTTP authentication.
Creating .htpasswd file
This file contains the usernames and passwords of those individuals who we authorize access to our directory, and subdirectories. Log into the box with putty and in shell Type htpasswd -c .htpasswd username to create the .htpasswd file and add "username" to list of authorized users. The program will initially prompt you for a password and then ask you to verify it.OR use online tool
For security, you should not upload the htpasswd file to a directory that is web accessible (, it should be placed above your www root directory. You'll be specifying the location to it .in .htaccess file and should be uploaded as ASCII and not BINARY.

Setting the directory permissions

It is not advisable to use the chgrp-httpd script if you are protecting files in your CGI directory. Instead, chmod the protected directory to 711.
This final step is important to make make sure people with local accounts can't access your files via the unix file system. Set the correct permissions on your protected folder by running the following command from within the directory you want to protect:
Editing httpd.conf file
  • The file httpd.conf can be found in /etc/httpd/conf/httpd.conf 
  • Find and change AllowOverride None to AllowOverride All
    # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: #   Options FileInfo AuthConfig Limit     AllowOverride All

Accessing Your Protected Site

Your password protected site should now be available: folder/
To enable .htaccess for virtual hosts add this to httpd.conf

No comments:

Post a Comment