Introduction

Want to protect your files from prying eyes, but let your friends in on the secret? The easiest way, is to use apache .htaccess files. These are simple little text files, that along with an .htpasswd file, allow you to place passwords on directories.

Section 1: Getting Ready

Software Required

  • Apache 1.3.6+ HTTPd - Download Here
  • Optional: Editplus (or any other good text editor) - Download Here

    Configuring the software

    It is assumed that you have compiled and are already running the apache httpd, or have access to a machine that has.

    Section 2: .htaccess and .htpasswd

    .htaccess

    .htaccess is a simple text file, so lets look at an example. 
    1: AuthUserFile /usr/local/apache/.htpasswd
2: AuthGroupFile /dev/null
3: AuthName "My Secret Stuff"
4: AuthType Basic

5: <Limit GET POST>
6: require valid-user
7: </Limit>
  • 1: The path and filename of your .htpasswd file. This file should be OUTSIDE of your web local directory, otherwise someone could download the file and crack the passwords.
  • 2: Group file. This is beyond the scope of this document, so just set it to /dev/null for now to signify that we have no groups
  • 3: What you would like to appear in the web browser's "Area" field for the enter password dialog. Be descriptive, but be sure to leave the quotes on.
  • 4: Leave this set to Basic, as it's the only Authorization type that we're interested in.
  • 5: Wich http "operations" we wish to have restrictions on. GET and POST is all that really matters.
  • 6: This signifies that any 'valid user' from the password file will be accepted. You can also specify a specific user, such as krypt, and only he will have access. Seperate usernames with a space, or just use valid-user.
  • 7: End of the restrictions block. After you have created this file, placed it into the directory you wish protected, it's time to create your .htpasswd file.

    .htpasswd

    This file is not created manually, but by the htpasswd program included with apache. Common locations for this program are /usr/local/httpd/bin/htpasswd and /usr/local/apache/bin/htpasswd. I will use the ladder in this example. To create this file, switch to the directory that you specified in line 1 of the .htaccess file, and execute the following bash command at the telnet prompt:
    /usr/local/apache/bin/htpasswd -c .htpasswd username
    Replace username with a username wich you wish to use, as you may add more in later. You will be prompted for the password, and an .htpasswd file will be created.

    To add aditional users, execute: 

    /usr/local/apache/bin/htpasswd .htpasswd username
    as many times as needed. They will be appended to the .htpasswd file.

    apache (httpd.conf) configuration

    It is a very common mistake among new sysadmins to neglect this step. If you do not have root access to the server you want to use .htaccess files on, then you're just going to have to rely upon them for proper configuration, but if the server is yours, then read on. The fact is, by default, apache disables .htaccess files, by setting AllowOverride None in your root web directory. To enable them again, just add the following directive to your httpd.conf file:
    <Directory "protected_files">
AllowOverride All
</Directory>
    This will allow an .htaccess file in your (root http path)/proteceted_files directory, and all of it's subdirectories as well. If you want to allow .htaccess files in the entire site, Find the "Directory /" entry, and change AllowOverride None to AllowOverride All (search and replace works for this).

    Reset Apache

    If you made any configuration changes, run 
    killall -1 httpd
    at the unix prompt to reset apache, and re-read configuration files.

    Testing it out

    Point your web browser to your newly protected directory, it should ask you for a username and password combo, if it does, you're successful. Please not that if it doesn't seem to accept your username/password, check the 'require' directive in .htaccess, and good luck!