Step 1. Configure Apache to Allow Access AuthorizationYou need to find the
httpd.conf file on your Linux server.
This file is the Apache web server configuration file that includes lots of very useful Apache web server controls.
For now, simply open it using a text editor. For Fedora users this is done by simply going to /etc/httpd and opening httpd.conf. For others using various flavors, try using this command to identify the location of the httpd.conf file and edit it: locate httpd.conf
Once you open this file using a text editor, please scroll down until you see not the first but the second occurance of this text: AllowOverride None
Change the line that says:
AllowOverride None to instead say:
AllowOverride AuthConfigBe sure to NOT CHANGE THE first occurance of this in the apache file which is the default. Change the
second occurance which is actually the overide. This is VERY IMPORTANT! If you run into trouble make a backup of your httpd.conf file (type: cp httpd.conf httpd.conf.back) and then try using
this example. Be sure to reboot the server after you copy our example file.
Step 2. Identify the Folder/Directory to ProtectYou should now identify which folders (aka Directories) under your web server you would like to protect. For instance if I want to only allow a certain list of users to access my html files under the Private folder it would look something like the following.
On the
Linux server the actual directory path would be:
/var/www/html/Private
On the
web browser the path would be:
http://office.server.com/Private
Obviously, I'm giving an
example to help you see the difference between the folder/directory name on the Linux server and how it looks to web browsers. You MUST change to the appropriate directory/folder when using the steps below. So in my case I type this command first before beginning on my Fedora server:
cd /var/www/html/Private
Step 3. Add Access Files to the FolderOnce you identify the folder you wish to safeguard, then you need to create two files in this folder. The files are: .htaccess and .htpasswd. The .htaccess file displays the access login information needed for users and also includes the list of specific users who can login. The .htpasswd file includes the individual users and their passwords.
Create .htaccess file in your Folder by using a text editor to create .htaccess. Notice that you must include the . (dot) before the file name!
The file should atleast include these lines:
AuthName "Login to the Private Area"
AuthType Basic
AuthUserFile /var/www/html/Private/.htpasswd
Require user andrea
Note that the AuthName requires quotes and whatever is in quotes will display on the login window when a user tries to access your private folder with a web browser. It is vital that you properly set the path for the AuthUserFile and obviously replace the word Private with whatever folder you are trying to password protect.
Also be sure to include the user login names of the people you plan to allow to this folder next to the Require user line. In my case, I simply added myself to this folder as a user (andrea).
Now, create the .htpasswd file in the same Folder but NOT by using a text editor. Instead use this command from the command line on your Linux server.
Type this command at the prompt:
htpasswd -cmb .htpasswd andrea ann2cute
Note that you must use your own name and password (replace andrea and ann2cute) and that the option cmb does the following: First it forces Creating of a new .htpasswd file. Since this is your first time adding a user it is necessary. Next the m option forces encryption and b allows you to include the user name and password immediately. In my case I created a new .htpasswd file, then added the user andrea and her password ann2cute.
Step 4. Add Additional UsersTo add users you simply need to edit both files again. First, add a user to the .htaccess file by opening it in a text editor and including the new person (my example is bradley).
The .htaccess file should include these lines:
AuthName Login to the Private Area
AuthType Basic
AuthUserFile /var/www/html/Private/.htpasswd
Require user andrea
bradleyRemember to save the file when youre done adding the new user!
Now add the user (my example being bradley) to the .htpasswd file using this command:
htpasswd mb .htpasswd bradley brad4chad
In my example, I used the htpasswd command to add using encryption the user bradley to the .htpasswd file that already exists and include his password as brad4chad. That's it!
Step 5. Test the Password FunctionNow test that the Apache server is accepting this new protected folder by going to it in a web browser. In my case I test the url http://office.server.com/Private and up comes a pop-up window that requires User Name and Password. I type in my user name and password and instantly I see the index.html page I put in my folder! People who don't have a login won't get access to your web pages within this folder.
What if it didnt work? Almost always this is a result of the httpd process not being restarted. You can easily restart this process to pick up the changes in your updated httpd.conf file by either rebooting or restarting the process. A reboot works fine, so long as you can tolerate a web server outage for a minute or two. Or, on most flavors you can type this command as root user: ./httpd start
Step 6. What About Removing UsersThere may come a time when you need to delete users from the access. You can do this easily enough by again editing the .htaccess file and running a command to delete the user from the .htpasswd file.
First, edit the .htaccess file and remove the user you do not wish to allow access to and save the file.
Second, delete the user from the .htpasswd file by typing this command at the prompt: htpasswd D bradley
The option D is for delete. It should prompt you that user bradley was deleted.
Good Links
- http://linuxhelp.blogspot.com/2006/02/password-protect-your-website-hosted.html
- http://www.reallylinux.com/docs/htaccess.shtml