How to restrict access to a web site folder
Have you ever wanted to control access to a directory or file on your website?
Well, it’s actually quite simple to do this using an “.htaccess” file placed in that very directory of your website.
Currently this only works for Unix/Linux/Apache based hosts.
If you’re hosting your site with a a hosting company and you have a control panel to manage your site, you most likely have a more automated method for doing this. This article will explain how to do it manually, mainly for people with ‘root’ access to the server.
So what is this .htaccess file?
A description of an .htaccess file as stated on the Apache website is
.htaccessfiles (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis.
Basically it allows you to make configuration changes to the functionality of the web server, but on a per directory basis.
OK, lets do this already.
First, login via SSH to the server hosting your website.
Change to the directory that you would like to restrict access to, or create it if it does not already exist.
In that directory we’ll create the .htaccess file.
Using your favorite text editor (I like vi) create and open this file.
# vi .htaccess
*Note: Make sure you have a dot ( . ) at the beginning of the file.
That tells the webserver not to allow web browsers to simply access the file as they would any other file on your site.
Enter the following text into the file
AuthName “Authorized Users Only.”
AuthType Basic
AuthUserFile /etc/httpd/conf/.htpasswd
Require user testusr
You can change”testusr” to whatever username you would like to access this directory.
What these lines basically mean is
AuthName -The title of the login box that pops up when someone attempts to access the directory
AuthType - The type of processing (authentication type) to use (’Basic’ being the most common).
AuthUserFile - The location and name of the file where we will store our username/password information.
Require user - A space separated list of users to allow access to this directory (we’re only allowing one user).
If you have trouble logging in you can also try using ‘Require valid-user’ in place of ‘Require user testusr’.
This will simply allow any valid user that exists in your.htpasswd file, rather than telling it which specific users to allow.
Next, we’ll create the actual user and .htpasswd file we specified in the .htaccess file.
If the .htpasswd file does not already exist in /etc/httpd/conf/ then we’ll create it and add the user with
# htpasswd -c /etc/httpd/conf/.htpasswd testusr
If the file does already exist then we don’t want to use the ‘-c’ option, so use the command
# htpasswd /etc/httpd/conf/.htpasswd testusr
Either way, you will be prompted for the password twice after executing the command.
Enter the password you want to use (remember, you won’t see the password you’re typing).
Also, you should probably set the ownership on the .htpasswd file
# chown apache:apache /etc/httpd/conf/.htpasswd
We now have the .htaccess file set to tell Apache to restrict access, and we have the .htpasswd file in place to tell Apache about the users/passwords that exist.
Just one more thing that we need to check.
In your /etc/httpd/conf/httpd.conf file, find the line that says
AllowOverride None
This line should be somewhere underneath the <Directory “/var/www/html”> line.
Change it to
AllowOverride AuthConfig
This tells Apache to allow your website to override the global authentication settings with the settings in your .htaccess file.
Save the file and restart Apache with
/etc/init.d/httpd restart
Now, assuming that all went well you should now have a password protected directory on your website.
All that’s left is to make sure you have a file in that directory and then try to access it from a web browser.
It should prompt you for a username and password.
Voila!
-------------------------
Digg it
del.icio.us
Technorati?
August 4th, 2008 at 9:07 am
i’m not following fully. . . i use cyberDuck to access the server (don’t know anything about it, php, asp, apache , etc) it’s stratus.bluegravity.com i log into with a bunch of different users. i made the .htaccess file and uploaded, then it disappeared.
i can’t follow the part about the .htpasswrd - what’s with the ‘# commands’ ? and i don’t see and .conf files in my directory i want to block.
August 4th, 2008 at 9:21 am
i found this, but still can’t make the .htpasswrd file . . . what is the ’shell’ i have to type into?
http://www.math.temple.edu/computing/access.html
August 4th, 2008 at 9:50 am
Apache/1.3.37 Server
giving me internal error instead of prompt for PW.
still no clue how to add .htpasswrd file with names.
August 29th, 2008 at 12:16 pm
This was great, thank you so much for posting it. I had to iron out a few mistakes that I made - Had to make sure I change the right AllowOverride, and the locations on my server were different from above, but it worked perfectly once in place. Thanks again!
November 15th, 2008 at 6:10 am
Hey just wanted to say thx for the help, i knew how to restrict file access with .htaccess but not directory access without a GUI to assist me. Just wanted to point out one thing to people who ARE NOT familiar with shell/ssh… in this tutorial each command has a # before it REMOVE THIS! continue with the rest of the command as shown… and for anyone who may not understand (this was kind of unclear to me) wherever you put your .htpasswd file… this is the directory that will be restricted. Thx again.