Friday, 24 October 2008

Setting Up .htaccess

htaccess can be used in co-ordination with the Apache web server to password protect certain files and directories on your web server.

This document assumes that you have Apache already set up and running correctly. If this is not the case please visit for help with installing and configuring Apache.

For my own sanity I'm going to assume that you followed the Apache Setup Guide on our site and that you have apache installed at /usr/local/apache and your HTML documents are located in /usr/local/apache/htdocs. Now let's say you have a directory called admin in /usr/local/apache/htdocs and you would like to password protect it and give certain users access. The first thing you need to do is open up your httpd.conf file and find the section that looks similar to this:

Options FollowSymLinks
AllowOverride None

Once you've found the similar lines in your httpd.conf you can add the following section underneath it:

AllowOverride AuthConfig
Options Indexes FollowSymLinks Includes
Order allow,deny
Allow from all

Once you've added the new section, save the httpd.conf file and restart apache. You can normally do this by running killall -HUP httpd as root. Now that the admin directory is properly configured for htaccess you'll need to set up the .htaccess and .htpassword files.

Change into the directory you want to protect (for this guide we are using /usr/local/apache/htdocs/admin) and create a file called .htaccess. To do this you can run touch .htaccess in the directory. Now open up the file with a text editor (nano, pico, vi, joe etc) and enter in the following lines:

AuthUserFile /usr/local/apache/htdocs/admin/.htpasswd
AuthName "Authorization Required"
AuthType Basic
require valid-user

The AuthUserFile directive containts the path to the password file that users will be authenticated against.

AuthName is the message that will appear on the login prompt. The default is Authorization Required but you can change this to whatever you like.

AuthType selects the type of user authentication that will be used. You can leave this as Basic

require let's all the valid users in the .htpasswd file access the directory.

Once your .htaccess file is set up, save and exit the file. You must now create the .htpasswd file. To do this you can use the htpasswd program that comes Apache. If you followed the Apache Guide, htpasswd should be located in /usr/local/apache/bin. If not you can run updatedb as root and then type locate htpasswd to find it.

To create the initial .htpasswd file you must use the -c flag. As root run:

htpasswd -c /usr/local/apache/htdocs/admin/.htpasswd username

Don't forget to change the directory .htpasswd will be located in. The above is set up for securing /usr/local/apache/htdocs/admin. As well change username to whatever username you want to use to log in. It will then prompt you for a password. The next time you add a user you can drop the -c flag since it is only used for the inital creation of the file.

If you haven't already restarted your Apache web server now is the time to do so. Once that has been taken care of, open up a web browser and try to access and see if it prompts you for a password. If something goes wrong check the Apache error log file.

No comments: