Saturday, August 18, 2012

How to put .htpasswd protection for a Apache Server

Protecting content on the web is something that most savvy users will have to do at one point or another. Whether the content is personal or professional, there comes a time when that content must only be seen by "authorized" eyes. The Apache web server ( that daemon that serves up your marvelous content ) allows a user to configure two files to facilitate this very purpose. Those files are .htaccess and .htpasswd.

The .htaccess file is a simple text file placed in the directory you want the contents of the file to affect. The rules and configuration directives in the .htaccess file will be enforced on whatever directory it is in and all sub-directories as well. In order to password protect content, there are a few directives we must become familiar with. One of these directives in the .htaccess file ( the AuthUserFile directive ) tells the Apache web server where to look to find the username/password pairs.

The .htpasswd file is the second part of the affair. The .htpasswd file is also a simple text file. Instead of directives, the .htpasswd file contains username/password pairs. The password will be stored in encrypted form and the username will be in plaintext.

Apache Server
We have to make some changes on the apache conf file, & rester the service.The procedure is explained below.

Creating an .htaccess file:-
goto the directory you need to password protect. create a file named .htaccess.
add the following lines into it.
AuthName "Hello user!"
AuthType Basic
AuthUserFile /usr/local/linuxhowto/.htpasswd (this is the location of the .htpasswd, you have to specify accourdingly)
Require user pankaj (replace the pankaj with desired username)

Save the file.

Creating an .htpasswd file:-

To create a .htpasswd file in /usr/local/linuxhowto

htpasswd -c /usr/local/linuxhowto/.htpasswd pankaj

Note the '-c' is only used when creating a new .htpasswd file.

To add dave to an existing .htpasswd file located in /usr/local/linuxhowto/ the following command will be used.

htpasswd /usr/local/linuxhowto/.htpasswd umar

Sample .htpasswd File

Below is a sample .htpasswd file that contains users pankaj and umar

Changes in the apache conf file:-
open the httpd.conf file using your favourote editor. Goto the diretory area.

AllowOverride All

you have to specify the correct path for the directory you need to pasword protect.Here i have protected the directory /home/linuxhowto/public_html/protected.

Restart the apache service.


Make sure that the path specified in AuthUserFile is the correct full path. This is a major cause of problems. If Apache cannot find the .htpasswd file, then all attempts will fail.

Make sure the permissions on the .htaccess and .htpasswd files are set so that Apache can read them.

chmod 0644 .htaccess
chmod 0644 .htpasswd

Other issues may be out of your control. Web administrators can lock down Apache so that it ignores all .htaccess files it encounters. This can be achieved with an AllowOverride None directive and option on the ServerRoot/DocumentRoot directories. If this is the case (.htaccess not allowed) you will have to kindly ask your web administrator to allow .htaccess files with authorization directives in your personal web directory. This can be achieved with AllowOverride AuthConfig directive and option.

No comments:

Post a Comment