Navigation Map

Help Desk Home

Homebuilder

Network Operations Center

Uploading
References
Trouble Shooting
Special Characters

Counters
Forms
Password Control
RealAudio
Imagemaps
Mime Types
Web Stats

CGI Basics
Custom CGI
File Permissions
SSI's
Java!
MySQL
PHP(3)
Custom Errors
Virtual Domain FAQ
Secure Server Info

IO Web Helpdesk - Access Control


The .htaccess file

Complete documentation of this and similar directives can be found on the Apache documentation website at http://www.apache.org/docs/mod/directives.html. Note that not *all* of these directives are user-configurable at Illuminati Online.

To password protect access to your site or to a specific directory, the first thing you will need to create is a file named .htaccess and place it in the directory that you want to protect, containing specific information something like this:


AuthUserFile [full path to user file]
AuthGroupFile /dev/null
AuthName "place some message here"
AuthType Basic

require valid-user
You can also specify individual usernames from your .htpasswd file such as:

require user username1
require user username2
require user username3
You can have as many usernames as you wish. Be sure to place the message after the AuthName in quotations or you will get a Server Error.

For instance, if your login name is dozer, and your .htpasswd file resides in your home directory, the first line might be:

AuthUserFile /usr/u/d/dozer/.htpasswd

If you are creating your .htaccess file for a virtual domain, it might use a path more like:

/virtual/customer/your_domain_name_here.com/htdocs/directory_to_protect

NOTE: do NOT place the "www" portion of your domain name in the above example. If your domain name is say www.abc.com, then you would use:

/virtual/customer/abc.com/htdocs/directory_to_protect

The .htpasswd file

The next step is the creation of the .htpasswd file. This file contains a list of the usernames and passwords.

Important Note: There is no correspondence between usernames and passwords on specific Unix systems (e.g. in an /etc/passwd file) and usernames and passwords in the authentication schemes we're discussing for use in the Web. Web-based authentication uses similar but wholly distinct password files; a user need never have an actual account on a given Unix system in order to be validated for access to files being served from that system and protected with HTTP-based authentication.

In simple terms this means that you can use whatever usernames and passwords you want, for anyone since there is absolutely no connection between the .ht passwd file's usernames and password and Unix logins or accounts. (From NCSA's User Authentication Tutorial)

The .htpasswd file can be placed anywhere under your home directory but you may find it easier to keep it in the same location as your .htaccess file.

To create the .htpasswd file, use the htpasswd command with the following format from your Unix prompt after telnetting into the server, log ging in, and then going to the correct working directory::

/usr/sbin/htpasswd [-c] .htpasswd {username}

This command line will prompt you for a password for that username. The password that you type will not be echoed onto the screen, but it will ask you f or confirmation (by having you re-type it) and it will be immediately encrypted.The output from this command is a .htpasswd file with an entry with the form:

{user}:{encrypted password}

The -c option creates a new passwd file instead of editing an old one. So only use the -c option the first time the htpasswd command is used for a given directory.

Finally, make sure that read permissions for this file are set for everyone (ie. owner, group, and other).For more detailed information, check out the Apache Docs.

If you want to maintain separate password lists for different directories, then you need .htpasswd files in different directories. To create these, follow the above instructions for each directory you want to protect.

NOTE: Using passwords does not ensure security. You should not use this method to send sensitive information, such as credit card numbers. This method is meant only to prevent casual users from viewing your pages, not to prevent dedicated snoops from accessing confidential data. Illuminati Online assumes no responsibility for the security of password-protected pages.



Last revised March 14, 2000