Password Protecting a Directory With ".htaccess"

From XMission Wiki
Jump to: navigation, search

Introduction

This document assumes you have a basic understanding of the UNIX shell.

Web access control on XMission is a function of the web server. It lets you set permissions on who can access your web documents based on username/password, a group defined by you, or the client's Internet address. This method will allow you to protect access to an entire directory, and any files and directories within it. Since the most common control used is by username/password, the the following document covers instructions for that method only. If you would like to learn how to control access by other methods, you can refer to the Apache web server documentation on the subject.

When setting up password protection on a directory, you will need the following two files:

  • .htaccess - This files is placed in the directory to be protected and it defines the restriction types and rules to be followed.
  • password file (You may choose the name.) - This file contains clear text usernames with encrypted passwords. We recommend that you put this file in your root directory.


Creating the .htaccess File

The .htaccess file is the file that defines what type of control to use, what file to reference for usernames/password, what the dialog box will say when prompted for a password, and what requirements should be met.


Placement and Permissions

The .htaccess file should be placed in the directory that you want to protect. The file should be owned by you with the group "www-data", and permissions set to 640. When this is done correctly, a long listing showing the file will look like this:

-rw-r----- 1 acctname www-data 170 Aug 24 2001 .htaccess

Format

The format of the file should be as follows, with no blank lines before the text begins:

AuthUserFile /var/www/vhosts/domain.tld/.passwordfile
AuthGroupFile /dev/null
AuthName 'Access For Valid Users'
AuthType Basic
<Limit GET>
require valid-user
</Limit>

The AuthUserFile is the file that has the authorized users' usernames and passwords. This must be the complete path.

The AuthGroup file isn't used when simply password protecting a directory. Because of this, we've identified it as /dev/null (effectively, nothing).

The AuthName is the dialog that will be shown when a user is prompted for their username and password.

AuthType is the type of authentication that will be used. For password protecting a directory, it just needs to be "Basic"

The <Limit> tag defines both what is allowed to be done in the directory, and the requirements for allowing someone into it.

Creating the Password File

The password file is the file that contains the usernames and passwords that the .htaccess file will reference for authentication.

Placement and Permissions

The password file should be placed outside of your public_html directory for added security. Files in your root directory, outside public_html, can't be viewed from the web. The file should be owned by you with the group "www-data", and permissions set to 640. When this is done correctly, a long listing showing the file will look like this:

-rw-r----- 1 acctname www-data 170 Aug 24 2001 .passwordfile

Creation

In the directory you wish to create the password file, type the following: htpasswd -c passwordfile username You will then be prompted to enter the password for "username". You may replace "passwordfile" with the name of your password file, and "username" with the username you would like to add to it.

Changing Passwords

To change a password for a user, go to the directory that the password file is located, and type the following: htpasswd passwordfile username You will then be prompted to enter the new password for "username".

Removing Users

To remove a user from the password file, simply edit the file with a text editor, delete the line the user's name and password is located on, and then save it.


Enabling Directory Tree Viewing

For security reasons, directory tree viewing is disabled by default. If you'd like to show a directory tree of all the files in a specified directory, however, the option is available. You'll need to create a file called .htaccess in the directory that you want viewable. In your XMission shell, you can do this by issuing the command
echo Options +Indexes > .htaccess
inside the directory you wish to make viewable.

Controlling your error page

You can use the ErrorDocument directive to change the 404 error that comes up when someone accesses a bad url on your webspace. The syntax is as follows:

ErrorDocument 404 /~username/my_404_error.html

For more details about this directive (and other htaccess directives), visit:

http://httpd.apache.org/docs/mod/core.html#errordocument


Applications