User authentification with .htaccess files

< Downtime today | Dollar Path Variable ($PATH) >

Tuesday, March 13. 2007

User authentification with .htaccess files

Hey,

lately i had to secure some development stuff from being viewed by others. I had to do it quickly so i choose to do it with a simple .htaccess file. Here's how i did.

The Authentification will be done over a file called passwords. Because i like everyhting in order, i will create this file in subdirectory (maybe there will be other password files for upcoming issues) and own it to my webserver user (httpd).

debianhustler:~# mkdir /usr/local/apache2/passwddebianhustler:~#touch /usr/local/apache2/passwd/passwordsdebianhustler:~#chown -R httpd:httpd /usr/local/apache2/passwddebianhustler:~#chmod 640 /usr/local/apache2/passwd/passwords

Now we need to add the desired users (here: sebastian and robert) which should be able to access the content. This will be done by the htpasswd tool which ships with apache. In my case the path to the apache binaries where not in the $PATH variable and i had to add it). If you add a user to the passwords file for the first time, you need to get it the -c flag, otherwise its obsolete. Be careful, if you add users with the -c flag everytime, they'll be overwritten.

debianhustler:~# htpasswd -c /usr/local/apache2/passwd/passwords sebastian New password: custompasswordRe-type new password:custompassword Adding password for user sebastian

debianhustler:~# htpasswd /usr/local/apache2/passwd/passwords robert
New password: robertspassword
Re-type new password: robertspassword
Adding password for user robert

Now we will edit our .htaccess file which sets the Options how the content can be accessed and who will able to.

debianhustler:~# vim /usr/local/apache2/htdocs/webpage/.htaccess
AuthName "This is private content"
AuthType Basic AuthUserFile /usr/local/apache2/passwd/passwords Require user sebastian robert
debianhustler:~#chown httpd:httpd /usr/local/apache2/htdocs/webpage/.htaccess
debianhustler:~#chmod 700 /usr/local/apache2/htdocs/webpage/.htaccess

It would be possible to add your Auth Options in the main apache config (between <Directory>.htaccess directives) but then you would need to restart the webserver after every change. the file is parsed on every http access.

The AuthName Options sets what header the login prompt will have. The AuthType sets the Authentification Type, we will use Basic. With AuthFile you set the full path (don't use relative paths, that's ugly and buggy ) to your passwords file and with Require user you can set those who should be able to access the content (they'll only be accepted if they are in the passwords file, it's a stronger rule).

I prefer to use the Require user username1 username2 Option, because of its better control. If you got a whole bunch of users, this will get confusing. Therefor It's possible to set Require valid-user (then it is enough when the username is in the passwords file).

After i did anything above, i recieved a 500, Internal Server Error, because my passwords file was not readable by my apache user httpd, a simple chown httpd:httpd on the file resolved the error.

This is a simple way to protect some content. To reed more about Authentification with Apache, read this Howto on the official apache website.

Regards,

Sebastian

Posted by Sebastian in Apache at 11:05 | Comments (10) | Trackbacks (0)

Last modified on 2007-03-18 20:12

Defined tags for this entry: .htaccess, apache, httpd, redesign, test phase, webserver

Comments

Display comments as (Linear | Threaded)

Thank you for that! I didn't know about the htpasswd tool until now

hf & gl

#1 Daniel (Homepage) on 2007-03-14 14:46 (Reply)

IMHO you comment-function sucks, as the comment do not appear immediately. Or will they ever appear?

Daniel

#2 Daniel on 2007-03-14 15:13 (Reply)

well we accept comments after review :>

#2.1 Michael on 2007-03-14 15:55 (Reply)

can i use htaccess to protect my files in my webspace?
which path must i use? not /usr/local/apache2/htdocs/webpage/.htaccess or?

#3 e2b on 2007-03-15 15:42 (Reply)

Hey,

no, sorry. Currently we are not supporting .htaccess files for webspace hosted on our servers.

Regards,
Sebastian

#3.1 Sebastian (Homepage) on 2007-03-15 16:58 (Reply)

ok. so i can't protect my files anyway? i want to host some files with password protection.
er, so i must protect my files with a password protected zip.
# from germany

#3.1.1 e2b on 2007-03-17 15:13 (Reply)

I think that's a good idea for fsphost.com V2 . Stay tuned

#3.1.1.1 Michael on 2007-03-18 03:50 (Reply)

I'm waiting

Are downloads @ fsphost allowed?

Deutsch oder Englisch?

#3.1.1.1.1 e2b on 2007-03-18 10:37 (Reply)

i see my comments immediately.
i think the settings had changed

#4 e2b on 2007-03-18 10:41 (Reply)

Hey,

We prefer to get comments in english because it allows most users to follow discussions made in this blog.
Sorry for my late response but i got weekend too

.

Yes downloading legal files is allowed at fsphost.com. But remember if u are illegally sharing or downloading data, you are becoming liable to prosecution and your account will be deleted immediately.

Regards and a nice sunday evening.
Sebastian

#4.1 Sebastian (Homepage) on 2007-03-18 20:12 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry