Password Protecting Directories and Files in Apache
Sometimes you may need to distribute files to various users over the Internet. Instead of giving each user a separate account, it is often easier to put the files on a Web page and use Apache's htpasswd to control the remote access.
Step 1: Create a file named .htaccess in the directory you want to protect.
AuthName "Password protected files" AuthType Basic AuthUserFile /home/somewhere/.htpasswd Require valid-user |
Keep the .htpasswd file someplace secure where it is not accessible by a browser. Set its permissions so Apache can read it.
Step 2: Create the new user
cd /home/somewhere/ htpasswd -m .htpasswd username |
If the .htpasswd file doesn't exist, use this command instead:
htpasswd -cm .htpasswd username |
which will create a new .htpasswd file and delete the old one.
Step 3: Edit httpd.conf
Change the AllowOverride option
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
# AllowOverride None
AllowOverride AuthConfig Limit |
and restart Apache. This only needs to be done once.
Problems
Sometimes it can be tricky to get Apache to block a directory, especially if it's in the DocumentRoot folder, because other directives in the httpd.conf file counteract it. The usual solution is to place the protected files in a directory outside of the Apache area altogether.
Another annoyance is that once you've typed a valid password, it's necessary to stop and re-start your browser before Apache asks for the password again.
The AllowOverride option can also be placed in your httpd.conf file. Here's an example:
<Directory "/usr/local/awstats/wwwroot">
Options None
AllowOverride AuthConfig
AuthName "Password Protected Files"
AuthType Basic
AuthUserFile /usr/local/httpd/.htpasswd
Require valid-user
</Directory>
|
Back