How can I password protect directories in my site?
In order to password directories on your site, you will need to upload two additional files. The first is named .htaccess and should reside in the directory you want to protect, this file sets all the options related to that directory. The second file is normally called .htpasswd, and contains all the username and password combinations. The one .htaccess file will protect the directory you place it into, and all the directories beneath it as well. The .htaccess file should be created and uploaded as a plain text file, you can use Notepad on Windows to create plain text files. If you are already have a .htaccess file with other directives, such as those for custom error documents, you can add the error document directives before or after the existing configuration data.
Example .htaccess File:
AuthName “Private Area”
Require User example
The AuthUserFile directive tells the server where to locate your list of users and their passwords, AuthName sets what the browser displays in the box when it prompts for a username and password. Unless you plan to use digest authentication (beyond the scope of this document), AuthType should be left set as ‘Basic’. The <Limit> section specifies which users can make certain types of requests, for simple password protection <Limit GET> is probably adequate, though <Limit GET POST PUT DELETE> will limit most common request types. The Require User line can take either several usernames separated by a space, or ‘valid-user’ which will allow any users who appear in the .htpasswd file to access the directory.
Example .htpasswd File:
The usernames appear on the left, separated by a : from the encrypted password which appears on the right hand side.
Example .htgroup File:
group1: user1 user2 user3
group2: user6 user1 user4
The .htgroup file is optional, and is activated by including its location in the .htaccess file with the AuthGroupFile directive in much the same way as AuthUserFile. The concept of groups simplifies the administration of a password protected area when you have a larger number of users. The Require directive is used in a similar way with groups as with users, using the example above “Require Group group1” would permit everyone in the group ‘group1’ to access that directory; in this case user1, user2 and user3.
Encrypting the Passwords:
Password encryption is performed by use of the ‘htpasswd’ utility, which you can use by logging into the system by ssh or telnet. See the question “How do I telnet/SSH to the server?”, for details on how to use telnet/ssh. An example session to create the .htpasswd file with one username, and add a username is included below:
(Please note that passwords will not appear on the screen)
Connected to web.pagehosting.co.uk.
$ htpasswd -c .htpasswd user1
Adding password for user1.
Re-type new password:
$ htpasswd .htpasswd user2
Adding user user2
Re-type new password:
You can also find out the location of your home directory using the command ‘pwd’, this path is used when you specify the location of user and group files.