How to Restrict Access to Web Pages

WARNING!

The method described below relies on sending clear-text passwords over unencrypted network connections. It is possible that someone could sniff the network between a browser and your web page and steal passwords. Use unique passwords to restrict access to web pages; do NOT use passwords that also are used to login to other systems.

Restricting access to web pages takes two steps. First, you create a file containing the usernames and passwords. Second, you tell the server what resources are to be protected and which users are allowed to access them, after entering a valid password.

A list of users and passwords needs to be created in a file. For security reasons, this file MUST be named starting with .htpasswd (e.g. .htpasswd or .htpasswd-spr-course, etc). The examples here will assume that a user with the username efudd wants to use a file /homepage/efudd/.htpasswd-myusers for the list of users and passwords.

The file will consist of a list of usernames and a password for each. The format is similar to the standard UNIX password file, with the username and password being separated by a colon. However, you cannot just type in the usernames and passwords, because the passwords must be stored in an encrypted format. The program htpasswd is used to create a user file and to add or modify user entries.

For example, to create a new user file and add the username martin with the password hampster to the file .htpasswd-myusers in your home directory, you would execute this command at a UNIX command prompt:

htpasswd -m -c /homepage/efudd/.htpasswd-myusers martin

The -m tells htpasswd to encrypt the password with the MD5 algorithm, the -c argument tells htpasswd to create a new users file. When you run this command, you will be prompted to enter a password for martin, and confirm it by entering it again. Other users can be added to the existing file in the same way, except that you would not use the -c argument. The same command can also be used to modify the password of an existing user. To add the user jane to the already existing .htpasswd-myusers file, run this command:

htpasswd -m /homepage/efudd/.htpasswd-myusers jane

After adding a few users, your users file might look like this:

martin:$apr1$/OOcI...$xKPpDEYf0.YzeD/YAjUjX/
jane:$apr1$wUc9d...$7LUwGztUakXW59PeUXYZY/
art:$apr1$IY1WV...$C0J5yAibvNLndqp8GdmW1/

The first field is the username, and the second field is the encrypted password.

Once you have created your users file, you need to set permissions so that it and every directory above it is accessible to the web server. To do this, use the chmod command:

chmod o+r /homepage/efudd/.htpasswd-myusers

The chmod command makes .htpasswd-myusers readable by the web server.

To restrict a directory to any user listed in the users file just created, you should create a .htaccess file in that directory. The following example will assume that user efudd wants to restrict the directory /homepage/efudd/private. The .htaccess file would be /homepage/efudd/private/.htaccess, and it should contain something like this:

AuthName "my_auth_name"
AuthType Basic
AuthUserFile/homepage/efudd/.htpasswd-myusers
require valid-user

The first directive, AuthName, specifies a name for this protected area. The AuthName "my_auth_name" is just an example; you can use any AuthName you like. The AuthType should always be Basic.AuthUserFile tells the server the location of the user file created by htpasswd. NOTE: The AuthUserFile entry MUST NOT be a relative path.

The require directive tells the server which usernames from the file are valid for particular access methods. In this example, the argument valid-user tells the server that any username in the users file can be used. But it could be configured to allow only certain users in:

require user martin jane

would only allow users martin and jane access (after they entered a correct password). If user art (or any other user) tried to access this directory - even with the correct password - they would be denied.

Once you have created your .htaccess file, you again need to set its permissions so that it is accessible to the web server. To do this, use the chmod command again:

chmod o+r /homepage/efudd/.htaccess