Web Server Manual - Protection and .htaccess File

Web Server Manual | Frames Format

Web Server FAQs

Email FAQs

FrontPage FAQs

NT/ASP FAQs

Mod_Write Guides

Perl / Unix FAQs

Secure Socket Layer (SSL)

Software & Reference files

Password Protection

Recommendations/Questions?

Password Protection and the .htaccess file

Password protected directories tutorial
Web Monkey Tutorial on Password Protection (excellent!)
- Exceptional article on setting "Group" permissions.
Restricting access by domain name or IP address
How to create WWW FTP directory listings
How to turn off directory listings

Password Protected Directories | top

If you do not have SSH access you may create password protected directories via your control panel, at:
http://cp.your_domain.com

Assumptions

You have shell access software, such as, Telnet or other.
You have FTP access software.
You have a text editor, such as, Notepad, Simple Text, etc.
The directory you wish to restrict access to is named: protected
- Your directory name can be anything you wish.
Your password file is located at /home/vs#####/public_html/protected/.htpasswd
- To simplify this example, we are creating the .htpasswd in the protected directory protected. You "should not" do this for your actual protected directory. Create your .htpasswd file elsewhere when possible and set the path accordingly (e.g., your your cgi-bin or other directory).
The names who have access to your protected directory are: dave and juliet
Bold Black words are file names or paths.
Red words are Telnet commands.

Create the .htaccess File

With your text editor create a file named: .htaccess
Copy the following text into this file:

<Files ~ "\.htpasswd$">
order deny,allow
deny from all
</Files>
AuthUserFile /home/vs#####/public_html/protected/.htpasswd
AuthGroupFile /dev/null
AuthName Password_secure
AuthType Basic

require user dave juliet

Notes:

The "<Files ~ "\.htpasswd$">" part of the text above prevents others from looking at your .htpasswd file in a web browser.

"AuthName Password_secure" line above can be changed to anything you wish.

This text appears when the username/password request window pops up.

Very important: no spaces are allowed between words on this line.

This will not work for example: "AuthName Password secure"

Add as many names with spaces as needed on line "require user dave juliet"

Now upload this file .htaccess to your protected directory.

Create the Secret Password

Log into your account via your shell access software (via Telnet).
Change to the directory public_html, cd public_html
Set permissions on your protected directory to allow the password file to create itself, by typing at the prompt: chmod 775 protected
Change to the directory protected, cd protected

Create the passwd file and first user by typing at the prompt:

htpasswd -c .htpasswd dave
- This will create the password file for this directory.
Go ahead and try the protected directory in your browser now to see your password protection work!
- http://your_domain.com/protected for example.
Once done, remember to change /protected back to permissions 755: chmod 755 ../protected

Screen Shot Example:

[vs02000@vs02 public_html]$ mkdir protected
[vs02000@vs02 public_html]$ chmod 775 protected
[vs02000@vs02 public_html]$ cd protected
[vs02000@vs02 protected]$ htpasswd -c .htpasswd dave
New password:
Re-type new password:
Adding password for user dave
[vs02000@vs02 protected]$

The password entered is: test

I created and uploaded the .htaccess file, as "text," into the /protected directory, contents:

<Files ~ "\.htpasswd$">
order deny,allow
deny from all
</Files>
AuthUserFile /home/vs02000/public_html/protected/.htpasswd
AuthGroupFile /dev/null
AuthName Password_secure
AuthType Basic

require user dave juliet

Done. Check Web Site...

Add Additional Users

Assumptions:

Name of this directory is: protected
It is working with at least one user name and password.
You know how to use Telnet.
You have the FTP username/password to the website.

Step by step:

Log into your account via via Telnet or other.

Use the host name and username/password provided in your setup instructions.
Change to the directory public_html.

The Telnet command is: cd public_html
Now change directories again to your secure directory, in this case named: protected

The Telnet command would be: cd protected
At the prompt type: htpasswd .htpasswd john

This creates a new user named john
You will then be prompted for the new password for this new user.
Now check via your web browser to ensure the new username and password works.
To add another user name and password repeat steps 4-6.
Note also your protected web pages must reside in the protected directory, and the first page must be called index.html or index.htm (unless you wish your files to appear as an FTP site).

Restricting Access by domain name or IP address | top

To put a site lock on your Web pages, you need to create a file called .htaccess and upload it into the directory that contains the pages you wish to restrict.

This allows all, but denies what you set in the .htaccess file:

<Files ~ "\.htaccess$">
order deny,allow
deny from all
</Files>
<Limit GET POST>
order allow,deny
allow from all
deny from 209.240.200.144 209.240.198
</Limit>

This denies all, but allows some:

<Files ~ "\.htaccess$">
order deny,allow
deny from all
</Files>
<Limit GET POST>
order deny,allow
deny from all
allow from .ncsa.uiuc.edu aol.com
</Limit>

The restrictions put in place by the .htaccess file will affect all of the files in that directory, as well as all files in any subdirectories, so if you want to restrict only a part of your pages, recommend you put the restricted pages into their own directory.

The "<Files ~ "\.htaccess$">...</Files>" part of the text above prevents others from looking at your .htpasswd file in a web browser.

How to create WWW FTP directory listings (like the Software directory) | top

This document is a brief explanation on how directory listings can be set up.
Majority of this writing was taken from a tutorial written by J J Fardoulis (July 2, 1996), University of Western Sydney.

Steps to the Process

Create a file called .htaccess in the directory you wish the contents to be displayed.
NOTE: The .htaccess file can be used for many things (including WWW security), but we are using it for the purpose of listing the contents of the directory.

The .htaccess file should have something like the following in it:

Options Indexes
DefaultType text/plain
AddDescription "Back to TT Page"         ..
AddDescription "Commerce"                1
AddDescription "Education"               2
AddDescription "Visual & Perform Arts"   3
AddDescription "Science & Technology"    4
AddDescription "Nursing & Health Stud"   5
AddDescription "Humanities & Soc Sci"    6
AddDescription "Non-Faculty"             7
AddDescription "Engineering"             8
AddDescription "Law"                     9
AddDescription "** ALL SUBJECTS **"      all

The first line causes the directory to be listed. The optional second line indicates that, as a default, the files in the directory have the text/plain MIME type. This can be changed as required. The following optional lines allow you to add a description to each of the (expected) files in the directory. The format of these lines are, the word AddDescription, followed by a string to display (the first 16 characters are used), and the file to display the description for. The file can have wildcard characters as in:

Options Indexes
AddDescription "Text file" *.TXT
AddDescription "MS Word document" *.DOC
AddDescription "MS Powerpoint document" *.PPT
AddDescription "Bin-hex archive" *.hqx

You can also add one or both of the following text files to the directory:

HEADER
README

The contents of the HEADER file gets displayed at the top of the directory listing page. The contents of the README file gets displayed at the bottom of the directory listing page. These two files seem to accept some HTML commands and execute them similarly to html files.

How to turn off directory listings | top

Add this line to your .htacess file:
Options -Indexes

Top Index