Thursday, April 9, 2009

.htaccess password setup for webdirectory

.htaccess can be used to password-protect directories on your web site. All files and any subdirectories within a directory protected by htaccess will also be protected.

1) Create a file named .htaccess under the directory which you want to protect

# cd /var/www/project/
# pwd

Use your favourite editor to create a file called .htaccess

# touch .htaccess

2) Add the required lines to this .htaccess file
AuthUserFile /etc/apache/.htpasswd
AuthName "Auth required"
AuthType Basic
Require valid-user
It's good idea to place the password file at some secure place (/etc/apache) folder

3) Create the .htpasswd file and add the users/passwd
# cd /etc/apache
# htpasswd2 -c .htpasswd sahab
New password:
Re-type new password:
Adding password for user sahab
This will add the user "sahab" and password into the .htpasswd file, you can open and check the entry (you won't be able to read the password)

To delete the user entry: # htpasswd2 -D .htpasswd sahab
To add new user: # htpasswd2 .htpasswd user

4) Configure the apache configuration file (httpd.conf)
Alias /protect "/www/www/project/"

Options Indexes MultiViews FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all

When you set up .htaccess files it will be effective for the directory that they are placed in as well as any subdirectories. If you wanted to set up a directory so that it could execute CGI scripts you could use a .htaccess file to do that.

Here the most important part is the option "AuthConfig" for "AllowOverride", if for some reason you don't want to use the .htaccess file, just place the option "None" for "AllowOverride".

5) After doing all the required changes, restart the apache server.

Now, just browse to the directory path that you have protected and see if you are getting the username/password dialog, provide the correct values and see if you are allow to enter.

Below are the most common problems experienced by users attempting to setup htaccess.

1. Permissions on both .htaccess and .htpasswd - Both the .htaccess and .htpasswd files need to be world readable.
2. Fully qualified path to .htpasswd incorrect - The correct fully qualified path to a valid .htpasswd file must appear beside AuthUserFile in the .htaccess file.
3. The username doesn’t exist in .htpasswd

No comments: