Password Protecting Files and Folders using .htaccess
Ronald MacDonald <firstname.lastname@example.org> Mon May 03 09:22:16 GMT 2010
It is possible, with the Apache WWW server, to protect files and folders by simple HTTP authentication.
Password protecting files and folders is carried out in two steps:
- Creating a file to store the username/password information
- Creating the .htaccess file within the directory you wish to protect.
Password File creation
.htpasswd file will contain a username and a password, separated by a colon (:) - one per line. The password in the file is encrypted.
The following command, available with most binary distributions of Apache (including OS X), will offer you the option of creating the file yourself:
htpasswd -c .htpasswd [username]
Alternatively you may try the online tool at http://www.rmacd.com/res/htpasswd
Now upload the file to the web server, making sure it is placed outside the Web root of the site if possible. If the .htpasswd file cannot be placed outside the web root, name it something not easily guessable - e.g. .adduqp2.
If you uploaded the file (from Windows) as a.htaccess, now’s the time to rename the file to .htaccess.
Creating the .htaccess file
To utilise the .htpasswd file, it must first be “recognised” by creating a .htaccess file. Create this in the directory to be protected.
The following must be inserted into the .htaccess file:
AuthUserFile /full/path/to/.htpasswd AuthType Basic AuthName "Secret Folder" Require valid-user
/full/path/to/.htpasswd is the full path to the .htpasswd file that you created. The full path is the path from the Web server’s root - not the site’s. The example .htaccess file will password protect all files and folders below in the folder that it is placed in.
If you use a web-based administration interface on your site, double check you’ve done everything above correctly - otherwise, you’ll block yourself out!
Protecting Individual Files
To password protect just a single file in a folder, use the following configuration in the .htaccess file:
AuthUserFile /full/path/to/.htpasswd AuthType Basic AuthName "Secret Page" <Files "secret.html"> Require valid-user </Files>
This will password protect just the secret.html file in the folder where you put the .htaccess file.
If you can’t access your data and the dialog keeps popping up, check that you entered the username and password correctly. If it still doesn’t work, check the path to your .htpasswd file on the server - make sure the path specified in the AuthUserFile directive is correct. Also make sure that both the .htpasswd and .htaccess files are readable by the Web server user (
chmod 644 should do the trick for UNIX/Linux/FreeBSD servers).
If the password protection isn’t working (i.e. you can still access your stuff without needing to enter a username/password), check that you uploaded your .htaccess file to the right folder. Also check that your web server supports .htaccess password protection (it needs to be an Apache server, and your server admin needs to have enabled the AuthConfig override for the site).
Password Protecting Additional Content
- If you want to password protect other folders - not under the currently protected folder - simply copy your .htaccess file to the new folder to be protected.
- To password protect more than one file in the same folder, just create more
<Files></Files>sections within the .htaccess file such as below:
AuthUserFile /full/path/to/.htpasswd AuthType Basic AuthName "Secret Page" <Files "secret.html"> Require valid-user </Files> <Files "private.html"> Require valid-user </Files>
You’re not restricted to just one username/password. If you want to add more users, simply repeat the "Creating the password file" procedure above, but add each new username/password line to your existing .htpasswd file, e.g.:
Alternatively, if you’ve got shell access to the server, then you can add extra users with the command:
htpasswd .htpasswd [username]
For further information see the Apache mod_auth documentation.