Fordham, New York City's Jesuit University
back Back to course home page

Putting password protection onto selected directories, for Apache 1.3 server.

Robert K. Moniot

September 16, 2001

  1. First, get your web administrator to enable your use of .htaccess files. This requires a stanza in ServerRoot/conf/access.conf like this: 
            <Directory /home/webber/public_html>
        AllowOverride AuthConfig
        </Directory>
    where /home/webber is replaced by your home directory. Without this, the usual default is AllowOverride None, which means that .htaccess files are ignored. The above stanza allows .htaccess control in all subdirectories of the specified Directory.

  2. Set up a reasonably secure directory for the password (and optionally the group) files. This directory should not be in the web document tree! If it is, someone who can learn or guess the URL of the password file can fetch it and try to crack the passwords. (This refers to visitors from elsewhere on the Internet. There is no simple way to prevent users with accounts on the web server host itself from snooping in the password file, so we will have to settle for security by obscurity and trust them not to try too hard.)

    Let us name this directory http-etc by analogy to the Unix /etc directory where the system passwd and group files reside. Place it in your home directory (not in public_html) so that it is outside URL space. Give it permission 701 = rwx-----x meaning you the owner can do anything, and the web server, running as the ordinary user apache, can access the directory but cannot list it (so it must know the file names in advance).1

  3. In the http-etc directory, create the password file. It can have any name. A usual choice is htpasswd. Give it permission 644 = rw-r--r--. This file can be created empty by the touch command, or created with one initial entry by using the -c option when you run the htpasswd command the first time.

  4. Add users to the password file using the htpasswd command. From your home directory, the command would be something like: 
            htpasswd http-etc/htpasswd guest

    In this example, the htpasswd program will prompt you for the password for user guest. After you type the password, you will have to re-type it for verification. The format of the password file is like this: 

           guest:IA22a/FU48faw
       janeuser:kyxFwALyFbsPw
       joeuser:rjyJsqbtXCvXo
    The gibberish after each user's name is the encrypted password. The plaintext passwords are not stored, for obvious security reasons. You cannot edit this file to change the passwords, unless you are the kind of person the NSA is very interested in hiring. The only way to update it is with the htpasswd program.

  5. If you want to organize your users into groups, create a groups file, in the same directory as the password file. Its usual name is htgroup. Give it the same permissions as the password file. It contains a list of group names, with each group name followed by the user names belonging to the group. Create it using any text editor. The format is like: 
            guest: guest
        users: janeuser joeuser

  6. In any directory in your web page area that is to be protected, create a file named .htaccess, with contents like this: 
            AuthType Basic
        AuthName "Restricted Directory"
        AuthUserFile /home/webber/http-etc/htpasswd
        AuthGroupFile /home/webber/http-etc/htgroup
        Require group users guest
    Alternatively the require directive can say: 
            Require user guest joeuser
    or 
            Require valid-user

Robert Moniot 2001-09-16