Securing your web pages with htaccess
IT UNIX Systems

If you need to restrict access to one or more of your web pages you might want to try htaccess! To see how htaccess works go to:

http://www.wsu.edu/UNIX_Systems/class1/example.html

When prompted, use the userid student and password spass, or the userid teacher and the password tpass.

The process of setting up protection requires the use of telnet and the UNIX command line, but is about as simple as anything that requires them. For each area on your site (a directory and its contents, including other directories) you wish to protect, you must create two files:

  • .htaccess
  • .htpasswd
Note the dot "." at the start of each name.

.htaccess contains security directives for the specific directory you want to protect and .htpasswd contains the userids and associated encrypted passwords.

.htaccess

This file contains the instructions (security directives) for htaccess. For example, if you have a directory within public_html called class1, you can protect all pages and directories within that directory with one .htaccess file in class1. This file must contain the following "directives":
AuthUserFile /users/www/userid/public_html/class1/.htpasswd
AuthGroupFile /dev/null
AuthName Private
AuthType Basic
<Limit GET>
require user USERID1 USERID2
</Limit>
To find the path for AuthUserFile use the pwd UNIX command from the directory you are protecting and change the AuthUserFile line to match.

You can change AuthName to any title you want to display on the password popup box. The title can only be 1 word long.

Replace USERID1 and USERID2 with userids that you invent to allow access to your web pages, i.e. student and teacher in the example above. All the userids which should be able to access a particular directory must be mentioned in the directories ".htaccess" file.

You could create this file directly on UNIX, or create it as a plain text file on your desktop machine and upload it in the same way as an HTML page to the appropriate directory or directories.

.htpasswd

The password file whose path you enter in the first line of the .htaccess file is a list of userids and passwords that you invent for access to your web pages. For added security, the server requires that the file be created and maintained by the program htpasswd which encrypts the password information.

You can call this file by any name but it is recommended that you call your password file .htpasswd (again, note the period at the front of the name -- this is part of the recommended name). You can have more than one password file. You can keep a separate .htpasswd and .htaccess file for each directory you are protecting. If you have a simple web with only one directory you should put them in your "public_html" directory.

To create the password file cd to the directory you are protecting and use the following UNIX commands:

htpasswd -c .htpasswd USERID1

substituting a userid for "USERID1". (The "-c" flag means "create a new file".)

If you need to add more userids (say, for other users or directories), use

cd ~/public_html
htpasswd .htpasswd USERID2

again substituting the id you invented for USERID2. Don't forget to update the "require user" line in the .htaccess file in every directory that the new userid should be able to access.

Further Information

Another tutorial and links to details about .htaccess, including security directives variables, can be found at:

http://www.he.net/info/htaccess/demo.html


| Home | Search | Software List | IT Help Desk |

Comments and questions: usgwww@wsu.edu.
Revised October 2, 1998. Copyright © 1996-1997 Washington State University.
URL: http://www.wsu.edu/UNIX_Systems