Password Protecting website Pages and Directories using .htaccess.
Recently I came across an issue of listing the directory struture and files in the web browser of a web site.The website was hosted on an Apache web server.After searching Google and reading the Apache HTTP Server documentation I could revolve the issue by doing few things related to the .htaccess file.
This is a common requirement among Bloggers and webmasters.You do not want the public users to access certain folders or files on your website.You can set authentication mechanism to restrict access those files and folders.Once you configure this,when a user try to access the particular resource a pop up will appear asking the user to enter user name and password to gain access.That pop up would be something similar to this.
Configure Apache’s .htaccess files to protect pages/directories on your site with a username and password.
Now let us discuss how do we achieve this on Apache server hosted websites.Apache is used on more than 50% of the sites on the internet.Apache allows you to protect an entire directory, or files that match a certain pattern, and allow them to be accessed by a certain user, a group of users.
You can make this setting either in the global configuration file or in the .htaccess file which is local to every website hosted.Since majority of the website owners will not have access to the global configuration file,it will be easier to use .htaccess file to achieve password protection.
There are two major (but they are simple and straightforward) steps in this process.
- Create a file called .htpasswd on your server that will store your username and password.
- Create a file called .htaccess in the folder you want to protect. ( )
- Create a file called .htgroup for user groups.
Creating a password file.
Method 1. Create the .htpasswd manually. (Read:How to create and use .htaccess file? Common usage and risks)
Open any text editor like Notepad then add the user name/password string into the editor. Save the file and call it .htpasswd.One important thing to note here is that the password should be in encrypted form.The password should be encrypted using the MD5 algorithm.You may need to use some online tool to encrypt your password.There are many free online services available to encrypt the password. Few services given below.
Upload the .htpasswd file to your website.Make sure you place it outside the Web root of your site if possible and put it inside some different directory.Create a directory above your public_html or httpdocs folder and save the .htpasword file there.
Even though the .htpasswd file name can be anything but Apache usually blocks access to files starting with .ht so make sure that you name it something starting with .ht.
Method 2. Create using htpasswd
If you have access to your web server through SSH use the below command to create the password file.
htpasswd [-c] passwordfile username
The -c flag creates a new file. This command will prompt you to type in the password.The password file will get generated automatically.The htpasswd utility comes with Apache.
Create a file for user groups.
AuthGroupFile sets the name of a text file containing the list of user groups for authorization.One important thing here to make sure is that the AuthGroupFile should be stored outside the document tree of the web-server.This will prevent clients from downloading the AuthGroupFile.The group file normally named as .htgroup.
For example you can add a user goup in the file as follows.
mygroup: Rob Bob Job
Creating a .htaccess file
To know more dtails read :How to create and use .htaccess file? Common usage and risks
In the directory to be protected, create a file called .htaccess, and add the content like follows.
To allow just one username, rather than a whole group, use the following:
1 2 3 4
AuthUserFile /full/path/to/.htpasswd AuthName "Protected Info" AuthType Basic require user
To allow a whole group, use the following:
1 2 3 4 5
AuthUserFile /full/path/to/.htpasswd AuthGroupFile /full/path/to/.htgroup AuthName "Protected Area" AuthType Basic require group groupname
To protect just a file add the following
1 2 3 4 5 6 7
AuthUserFile /full/path/to/.htpasswd AuthType Basic AuthName "This is confidential" <Files "filtobeprotected.ext"> Require valid-user </Files>
The important thing to note here is that you just add the .htaccess file in the directory to be protected.Remember that the file paths used should be the absolute path to the group/password file.Otherwise it is treated as relative to the Server-Root.
The .htaccess files should be used in a case you need to make configuration changes to the server on a per-directory basis.Otherwise if you have access to the main server configuration file you prefer editing that file.
- How to create and use .htaccess file? Common usage and risks
- Website or Web page redirection using a .htaccess file?
- How to specify your own ErrorDocuments using .htaccess file?