USING .HTACCESS & HTPASSWD TO PROTECT YOUR FILES FROM UNAUTHORIZED ACCESS
It is possible there are parts of your site which you would prefer that not just anyone have access to. APACHE and other web servers provide a system that you can use to control access to certain directories on your website. You might have a family photo album on line that you want only your family to see. No matter what your little secret is, I will show you how to help keep private things a little more private. I am sure that in your surfing around on the ‘Net you have every once in a while run into:
not a real screen! This is not JAVA or CGI-BIN, but something that is very easy to implement- even for a newer web author. The .htaccess feature of your server is activated simply by placing a small file in the directory you want to protect. Guess what the file is called? Yes, you’re correct! .htaccess
Before taking you through the steps of setting up this protection scheme, please take a moment to look at some things you should know.
- Nothing in life is truly secure. There may be holes in this system.
- The user name and password are transmitted as plain, readable text, they are not encrypted.
- If you plan on giving passwords to people, keep in mind that it is an extra maintainence function for you to perform.
- To setup .htaccess you must be able to access your server using telnet, this cannot be done using FTP. If you do not have telnet access to your site, check your provider’s FAQ or reference pages to see if they have a script you can use for setting passwords.
|
Setting up an .htaccess Protected Directory
Installing the .htaccess involves a few steps. The most important thing is to make sure you do not install the .htaccess file in your main web directory. If you do, everyone will be locked out of your website. Unless this is what you want to do, make sure you create the directory and are located in it before creating the file.
- Step 1: See where you are. At your prompt enter the command pwd to see what directory you are in. If you already have made your new directory and are in it- go to Step 3.
- Step 2: issue the command mkdir dirname where dirname is what you want to call the directory you will be protecting. Then enter the command cd dirname
- Step 3: Using an editor such as vi or pico, create a file called .htaccess (lower case letters of course- with the leading period) that looks just like this:
AuthUserFile /usr/www/dirname/.htpasswd
AuthGroupFile /dev/null
AuthName "The Secret Page"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
- Step 4: Change the AuthUserFile so that the UNIX PATH matches that of your system. This is where the password file that we will create in a moment will reside.
- Step 5: Change The Secret Page to be whatever title you want to have appear on the password box.
- Step 6: To create the password file, issue the following command: (NOTE: you only do it this way to create a new file)
htpasswd -c .htpasswd user_name (where user_name is a name)
If you get a message like, htpasswd: not found enter the command type htpasswd. If that doesn’t do the trick, try which httpd. If htpasswd is not in your path, you will have to add that directory to your path or enter the command as /what/ever/dir/htpasswd -c user_name
- Step 7: The system will ask you to enter the password for this user. It will then ask you a second time to confirm your typing.
- Step 8: Continue to add new users, but with this version of the command. The -c option is only for the initial creation of the file.
htpasswd .htpasswd new_name |
That is all there is to it! If you experience any unexpected problems, or you change your mind about restricting access, just issue the command:
rm .htaccess