|
The HTAccess Authentication/Password
Protection tutorial covers web-based user authentication using a .htaccess file. Web-based
authentication denies web access to visitors who do not give a valid username and
password. This password protection feature allows webmasters to restrict access to certain
directories. The usernames and encrypted passwords are kept in a webmaster-maintained
file. This is not the same as ordering another FTPonly Account. Visitors do not
need to have a XyNexT
Account to use Web-based
access -- the mechanisms are separate and unique.
Difficulty: Easy to Medium
You will need the following basic skills:
- Ability to telnet and log in to your virtual domain
- Ability to use a text editor (such as joe or pico on our system or notepad
on yours)
- Working knowledge of paths and basic filesystem navigation (cd, mkdir,
etc.)
Here we go!
The following is an example use of the .htaccess file. Let's assume that it resides at
/mnt/web/guide/somewhere/somepath/.htaccess
AuthUserFile /mnt/web/guide/somewhere/somepath/.htpasswd
AuthGroupFile /dev/null
AuthName "Somewhere.com's Secret Section"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
|
The .htacce ss file affects the directory in
which it is placed, so in this example, any visitor requesting <URL:http://somewhere.com/somepath/>
would be presented with an authentication request.
The .htaccess file also affects directories recursively below it. Therefore,
requesting <URL:http://somewhere.com/somepath/evenmore/> would yield the
same authentication request unless ~/somepath/evenmore had a .htaccess file of
its own.
The first line, starting with AuthUserFile, tells the webserver where to find your
username/password file. We'll create that file in a minute. For now, change the AuthUserFile
line as necessary for your use.
Notice that the AuthName in the example, "Somewhere.com's Secret
Section," is used in the authentication request. Although the quotes are not
neccesary in some older versions of Apache, we recommend using them to avoid future
incompatibility.
Using your favorite text editor, create a file similar to the example, replacing
AuthUserFile
and AuthName with values for your situation. Be sure to name the file .htaccess.
(You can create the file locally and FTP it up to the server or you can log into the
server via telnet and create the file
using pico or joe)
Now that we understand the basic .htaccess model, how can we specify who is allowed? We'll
create an .htpasswd file named in the AuthUserFile line above.
To create an .htpasswd file, login to the server via telnet
go to the directory you specified in AuthUserFile. In the example, this is /mnt/web/guide/somewhere/somepath.
Then use the htpasswd program with the -c switch to create your .htpasswd
in the current directory.
Type htpasswd -c .htpasswd username to create the file and add
"username" as the first user. The program will prompt you for a password, then
verify by asking again. You will not see the password when entering it here:
wwwX:/mnt/web/guide/YOURDOMAINNAME/somepath#
htpasswd -c .htpasswd username
Adding password for username.
New password:
password
Re-type new password:
password
|
To add more users in the future, use the same command without the -c
switch: htpasswd .htpasswd bob will add username "bob" to your .htpasswd
file.
To delete users, open the .htpasswd file in a text editor and delete the appropriate
lines:
username:v3l0KWx6v8mQM
bob:x4DtaLTqsElC2
|
To learn more about htaccess's capabilities, check out NCSA's site.
|
