Password Protecting a Directory With ".htaccess"

Password Protecting a Directory With ".htaccess"

Introduction

This document assumes you have a basic understanding of the UNIX shell.

Web access control on XMission is a function of the web server. It lets you set permissions on who can access your web documents based on username/password, a group defined by you, or the client's Internet address. This method will allow you to protect access to an entire directory, and any files and directories within it. Since the most common control used is by username/password, the the following document covers instructions for that method only. If you would like to learn how to control access by other methods, you can refer to the Apache web server documentation on the subject.

When setting up password protection on a directory, you will need the following two files:

  • .htaccess - This files is placed in the directory to be protected and it defines the restriction types and rules to be followed.
  • password file (You may choose the name.) - This file contains clear text usernames with encrypted passwords. We recommend that you put this file in your root directory.


Creating the .htaccess File

The .htaccess file is the file that defines what type of control to use, what file to reference for usernames/password, what the dialog box will say when prompted for a password, and what requirements should be met.


Placement and Permissions

The .htaccess file should be placed in the directory that you want to protect. The file should be owned by you with the group "www-data", and permissions set to 640. When this is done correctly, a long listing showing the file will look like this:

-rw-r----- 1 acctname www-data 170 Aug 24 2001 .htaccess
Note: You may set all public_html permissions to defaults by logging in to http://home.xmission.com/ and selecting the "My Account" tab. There, you will find a "Repair Your Web Permissions" option under the "XMission Tools" section.

Format

The format of the file should be as follows, with no blank lines before the text begins:

AuthUserFile /var/www/vhosts/domain.tld/.passwordfile
AuthGroupFile /dev/null
AuthName 'Access For Valid Users'
AuthType Basic
<Limit GET>
require valid-user
</Limit>

The AuthUserFile is the file that has the authorized users' usernames and passwords. This must be the complete path.

The AuthGroup file isn't used when simply password protecting a directory. Because of this, we've identified it as /dev/null (effectively, nothing).

The AuthName is the dialog that will be shown when a user is prompted for their username and password.

AuthType is the type of authentication that will be used. For password protecting a directory, it just needs to be "Basic"

The <Limit> tag defines both what is allowed to be done in the directory, and the requirements for allowing someone into it.

Note: If you have forms or cgi scripts in the protected directory, your limit should be set to <Limit GET POST>.

Creating the Password File

The password file is the file that contains the usernames and passwords that the .htaccess file will reference for authentication.

Placement and Permissions

The password file should be placed outside of your public_html directory for added security. Files in your root directory, outside public_html, can't be viewed from the web. The file should be owned by you with the group "www-data", and permissions set to 640. When this is done correctly, a long listing showing the file will look like this:

-rw-r----- 1 acctname www-data 170 Aug 24 2001 .passwordfile
Note: You may set all public_html permissions to defaults by logging in to http://home.xmission.com/ and selecting the "My Account" tab. There, you will find a "Repair Your Web Permissions" option under the "XMission Tools" section.

Creation

In the directory you wish to create the password file, type the following: htpasswd -c passwordfile username You will then be prompted to enter the password for "username". You may replace "passwordfile" with the name of your password file, and "username" with the username you would like to add to it.

Changing Passwords

To change a password for a user, go to the directory that the password file is located, and type the following: htpasswd passwordfile username You will then be prompted to enter the new password for "username".

Removing Users

To remove a user from the password file, simply edit the file with a text editor, delete the line the user's name and password is located on, and then save it.


Enabling Directory Tree Viewing

For security reasons, directory tree viewing is disabled by default. If you'd like to show a directory tree of all the files in a specified directory, however, the option is available. You'll need to create a file called .htaccess in the directory that you want viewable. In your XMission shell, you can do this by issuing the command
echo Options +Indexes > .htaccess
inside the directory you wish to make viewable.
Note: This won't have any effect while using a Basic Hosting package.

Controlling your error page

You can use the ErrorDocument directive to change the 404 error that comes up when someone accesses a bad url on your webspace. The syntax is as follows:

ErrorDocument 404 /~username/my_404_error.html

For more details about this directive (and other htaccess directives), visit:

http://httpd.apache.org/docs/mod/core.html#errordocument


    • Related Articles

    • About FTP and Shared Hosting

      Plesk Shared Hosting: About FTP and Shared Hosting What is FTP? FTP (Secure File Transfer Protocol) is a protocol used to transfer files over a TCP/IP network (Internet, UNIX, etc.). For example, after developing the HTML pages for a website on a ...

    • Router and Wireless Troubleshooting

      Is your router getting power? Most of the time a reboot can often resolve: network issues poor website connections slow speeds dropped connections Doing an occasional reboot keeps the router acting like new. The reboot process is simple: Unplug your ...

    • Adding a Domain

      Plesk Shared Hosting: Adding a Domain You can create additional domains for use with your Shared Hosting account. First, ensure you are logged into your account at http://hosting.xmission.com. From the Control Panel, click on the "Websites & Domains" ...

    • Adding a Subdomain

      Plesk Shared Hosting: Adding a Subdomain You can create additional subdomains for use with any domains in your Shared Hosting account. First, ensure you are logged into your account at http://hosting.xmission.com. From the Control Panel, click on the ...

    • Managing FTP Access/Users

      Plesk Shared Hosting: Managing FTP Access/Users You can create additional users for FTP access to your websites. Additionally, you can modify and remove previous users who may have had access. From the Control Panel, click on the "Domains & Websites" ...