How to password protect web pages and CGI scripts using .htaccess files
For Apache 1.3.6-7 on Red Hat Linux 6.0
By Phil Jones (pjls16812 at blueyonder.co.uk)
Index
-
Intro
-
Setup
-
Testing
-
Help! There's something wrong
-
Setting things up the way you want
-
Download htprotectdir
-
Links
Intro
In the Apache web server supplied with Red Hat Linux 6.0, document password
protection is off by default. This article explains how to enable password protection for some or all HTML pages and CGI scripts. This article does not explain how to protect individual files; only directories. This article covers setting up, testing and hopefully understanding htaccess based user authentication.
The outline of the procedure is:
-
Enable htaccess security in Apache.
-
Create a directory for a special 'web users' password file.
-
Create the 'web users' password file.
-
Add user names and encrypted passwords to it.
-
Create a .htaccess file in the directory we wish to protect.
-
Edit the .htaccess file so it refers to 'web users' password file.
-
Test to make sure everything is working.
For this procedure to work, you must be logged in as root.
Setup
1) Edit /etc/httpd/conf/access.conf.
2) Navigate to line 46. This line controls whether the .htaccess security scheme is enabled for HTML pages. Change this line so it reads:
AllowOverride AuthConfig
3) Navigate to line 59. This line controls whether .htaccess security is enabled in the CGI script directory. Change this line so it reads:
AllowOverride AuthConfig
4) Save changes and quit the text editor. If you get an error, maybe you're not logged in as root.
5) Restart Apache. On the command line enter:
/etc/rc.d/init.d/httpd restart
6) Make a directory for the 'web users' password file. For securry for the 'web users' password file. For security reasons this file must be outside the directory served by the web server. Enter:
mkdir /usr/local/etc/httpd
7) Create the 'web users' password file. We will add a sample user to it at the same time. Enter:
htpasswd -c /usr/local/etc/httpd/users testuser
You will be prompted for password. When done, you should see 'Adding password for user testuser'. This means it worked.
8) Check the permissions on the new file. Enter:
cd /usr/local/etc/httpd
ls -all
You should see:
total 3
drwxrwxr-x 2 root root 1024 May 26 19:11 .
drwxr-xr-x 4 root root 1024 May 30 17:19 ..
-rw-r--r-- 1 root root 104 May 31 11:14 users
If the users file permissions are not -rw-r--r-- then enter:
chmod 644 users
8) Examine the new file. This isn't compulsory, it's just nice to see what's happened. Enter:
cat users
You should see something like:
testuser:rgMFIrplPFGkk
The code on the right is the encrypted password.
9) Create a sample web directory, index.html and .htaccess file to test. Enter:
mkdir /home/httpd/html/test
cd /home/httpd/html/test
touch index.html
touch .htaccess
Next, edit index.html and put some text in there such as, 'Hello, this should be password protected'. Then edit .htaccess so it reads:
AuthName "Restricted Stuff"
AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
require valid-user
Testing
We'll test using lynx because it lets us see what's going on more easily. Enter:
lynx localhost/test/
Don't forget the slash on the end. If you leave the ending slash off, Apache will have to redirect the browser to the real address we want, which is localhost/test/index.html. You should be prompted for username and password. Enter testuser, then the password you chose. You should then see your web page!
Help! There's something wrong
If you get an error, view the file /var/log/httpd/error_log to find out what's the matter.
I didn't get an enter password dialog when I tried to view the page that should be protected using my browser, why not?
Check the .htaccess file you created is located in the directory which you want to protect. For example, if you want to protect the documents in /home/httpd/html, make sure the .htaccess file is located in /home/httpd/html. Make sure the corresponding Directory section in the Apache configuration file (eg <Diche configuration file (eg <Directory "/home/httpd/html">) enables your .htaccess file with the directive AllowOverride AuthConfig.
You can place a .htaccess file in any directory as long as the directory is served by Apache. The .htaccess file will affect the directory and all its subdirectories. Putting an .htaccess file in the cgi-bin folder will cause the password prompt to come up when the browser requests a script. You can require passwords for some scripts and not others by organising them into subdirectories and putting .htaccess files in the subdirectories instead.
You can add web users with the following command, for example, to add Fred:
htaccess /usr/local/etc/httpd/users fred
Here is a more complicated example of a .htaccess file:
AuthName "My Page Permission"
AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
require user testuser fred
This causes 'My Page Permission' to appear on the password dialog and it allows testuser and fred in.
Is it possible to configure the .htaccess file so that based on who logged in, a particular page is served to them?
No. It only decides whether the user is allowed to read the web document they have requested. Interactivity like this requires the use of a scripting language like Perl/CGI or PHP.
Here is a small utility to password protect a directory. Here is how to use it:
- Download htprotectdir.tar.gz.
- Make sure the Expect programming language is installed. (which expect)
- Uncompress the archive (tar xvzf htprotectdir.tar.gz)
- Edit the first line of the resulting htprotectdir file. Make sure the path to Expect is correct.
- The usage syntax is:
htprotectdir [username] [password] [auth name] [htpasswd file] [dir to protect]
Example:
./htprotectdir sampleuser password "protected stuff" /home/sampleuser/.htpasswd /home/sampleuser/public_html