Password Protecting Web Directories with .htaccess
You can now password specific directories within your website by placing special access
control files within the directories you want to protect.
Create a ".htaccess" file. This is an Access
Control File which will contain rules on who can access your website.
Create a ".htpass" file. This is a password file
which will contain a list of Usernames and Passwords of people who can access your
protected directory.
Transfer the ".ht" files. Transfer both of these
files to the directory you wish to protect.
More about ".htaccess". There is more to
".htaccess" than meets the eye. Here is some addtional information.
1. Create the ".htaccess" access control file
Create this file using Notepad or SimpleText or some other plain text editor. When
complete, transfer the file using your favourite FTP program to the directory to be
protected WEBPOST web account. Here is a sample of the ".htaccess" file
used to protect directory:
AuthUserFile /usr/local/ns-home/docs/webpost/help/PasswordProtection/.htpass
AuthName My Web Site
<Limit GET POST>
require valid-user
</Limit>
- Leave a blank link at the end of your file.
-
- Note: If you can not create a file called ".htaccess" on your PC, give it a
different name such as "htaccess.txt" When you transfer this file to your
WEBPOST account, use your FTP program to rename this file as ".htaccess". Your
directory will not be protected unless a valid ".htaccess" and password file are
present.
The ".htpass" file is a list of usernames and encrypted passwords that may
look like the following:
PHIL1010:9AFcmybXs1JV2
SOCRATES:o8d8I.6b.hwWg
PLATO:wizDR5wi.JkYc
Each username and password is separated by a colon. You can create this file on any
DOS, Windows 3.x/95/98/NT system using the following utility: htpass.exe
Download htpass to your local drive and store it in a directory such as
"C:\WEBPASS"
Open a DOS shell window and change into the WEBPASS directory.
Enter the following command to create a password file and add your first user:
htpass -c htpass.pwd myclass
You will first be prompted for a password for "myclass" (or whatever username
you choose). You will be prompted to re-type the password a second time. Here is what the
session would look like:
C:\webpass>htpass -c htpass.pwd myclass
Adding password for myclass.
New password:
Re-type new password:
C:\webpass>
|
- The "-c" switch creates the specified password file. After the file has been
created, you can add new users or change existing passwords with the following command:
htpass htpass.pwd nextuser
C:\webpass>htpass htpass.pwd nextuser
Adding password for nextuser.
New password:
Re-type new password:
C:\webpass>
|
The simplest approach is to create a single login for your site and share that password
with anyone authorized to get in. If you prefer, you can create dozens of passwords --
enough for each member of your class. It you choose to use this service, it will be up to
you manage these passwords.
3. Transfer ".htaccess" and ".htpass" to the
protected directory in your WEBPOST accound.
In order to work, your protected directory must contain valid .htaccess and .htpass
files. On some systems (DOS, Windows 3.x), you can not create file names such as
".htaccess". However, you can transfer these files to your WEBPOST account using
FTP. Once the files have been transferred, you can also use your FTP program to rename
them.
Security note: we have configured our web server so that ".htaccess" and
".htpass" files can not be viewed by any browser over the web. If you make
frequent changes to your ".htpass" file, you can also call it
"htpass.pwd". "htpass.pwd" files can not be view by browsers on www.yorku.ca
There are a number of key words and sections that make up ".htaccess"
files.
| Keyword/Section |
Explanation |
| AuthUserFile |
the fullpath to the protected directory (as seen from www.yorku.ca). In other words, to protect http://www.yorku.ca/faculty/academic/professor/myclass
you would need to specify: AuthUserFile
/usr/local/ns-home/docs/webpost/faculty/academic/prof/myclass/.htpass |
| AuthName |
is simply the name of your protected area. It will appear in
the login prompt. |
| <Limit GET POST> </Limit> |
se the Limit tag to specify the HTTP actions you wish to
permit. GET and POST will allow users to get pages and post forms on your site. |
| require valid-user |
This directive allows all users in the specified .htpass file
to log into the directory |
| require user user1 user2 user3 |
Allows a list of specific users to log into the directory. |
The following Appendix is from Netscape's "Using .htaccess instead of
.nsconfig"
Appendix A - Supported .htaccess Directives
The following .htaccess directives are supported in this release:
Allow
Syntax:
allow from host host ...
where host is all, to allow access from all client hosts, or is all or the last part of
a DNS host name, or is a full or partial IP address.
Must be enclosed within a <Limit> range.
Effect:
Allows access to the specified hosts. Normally appears inside a <Limit>
range.
AuthGroupFile
Syntax:
AuthGroupFile filename
where filename is the name of file containing group definitions in the form:
Must not appear within a <Limit> range.
Effect:
Specifies that the named group file is to be used for any group definitions referenced
in a require group directive.
AuthUserFile
Syntax:
AuthUserFile filename
where filename is the name of file containing user definitions in the form:
where username is a user login name, and password is the crypt()-encrypted
password.
Must not appear within a <Limit> range.
Effect:
Specifies that the named user file is to be used for any user names referenced in a
require user or require valid-user directive.
AuthName
Syntax:
AuthName authentication realm
where authentication realm is a string identifying an authorization realm to be
associated with any request for user authentication.
Must not appear within a <Limit> range.
Effect:
The authentication realm string typically appears in the prompt for username and
password on the client side. It may affect caching of username and password on the
client.
AuthType
Syntax:
AuthType Basic
Must not appear within a <Limit> range.
Effect:
Specifies the user authentication method as HTTP Basic Authentication, the only method
currently supported.
Deny
Syntax:
deny from host host ...
where host is all, to deny access from all client hosts, or is all or the last part of
a DNS host name, or is a full or partial IP address
Must be enclosed within a <Limit> range.
Effect:
Denies access to the specified hosts. Normally appears inside a <Limit>
range.
<Limit>
Syntax:
<Limit method method ...> allow, deny, order, or require directives
</Limit>
where method is a HTTP method such as GET, POST, or PUT.
Effect:
Applies the enclosed directives only for requests using the specified HTTP
methods.
Order
Syntax:
order ordering
where ordering is one of:
allow,deny
deny,allow
mutual-failure
Must be enclosed within a <Limit> range.
Effect:
allow,deny evaluates allow directives and then deny directives. deny, allow evaluates
deny directives and then allow directives.
mutual-failure denies access for a host listed in both allow and deny directives,
regardless of their ordering.
Require
Syntax:
require group groupname groupname ...
require user username username ...
require valid-user
Must be enclosed within a <Limit> range.
Effect:
require group requires the authenticated user to be a member of one of the specified
groups.
require user requires the authenticated user to be one of the specified users.
require valid-user requires an authenticated user.
Here is a sample .htaccess file, so you can see what it looks like.
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName mxyzptlk.kawaii.com
AuthUserFile /DocRoot/mxyz-docs/_vti_pvt/service.pwd
AuthGroupFile /DocRoot/mxyz-docs/_vti_pvt/service.grp
|
