How to Restrict Access to Web Pages


The method described below relies on sending clear-text passwords over unencrypted network connections. It is possible that someone could sniff the network between a browser and your web page and steal passwords. Use unique passwords to restrict access to web pages; do not use passwords that also are used to login to other systems.

Restricting access to web pages takes two steps. First, you create a file containing the usernames and passwords. Second, you tell the server what resources are to be protected and which users are allowed to access them, after entering a valid password.

A list of users and passwords needs to be created in a file. The examples here will assume that a user with the username duke and a home directory /home/staff/duke wants to use a file /home/staff/duke/public_html/.htpasswd for the list of users and passwords. Note that the name .htpasswd is a special filename that is not served by the webserver; that is, it is used by the webserver for authentication, but it not accessible people to download or read.

The file will consist of a list of usernames and a password for each. The format is similar to the standard UNIX password file, with the username and password being separated by a colon. However, you cannot just type in the usernames and passwords, because the passwords must be stored in an encrypted format. The program htpasswd is used to create a user file and to add or modify user entries.

For example, to create a new user file and add the username martin with the password hampster to the file .htpasswd in your home directory, you would execute this command at a UNIX command prompt:

     htpasswd -c $HOME/public_html/.htpasswd martin

The -c argument tells htpasswd to create a new users file. When you run this command, you will be prompted to enter a password for martin, and confirm it by entering it again. Other users can be added to the existing file in the same way, except that you would not use the -c argument. The same command can also be used to modify the password of an existing user.

After adding a few users, your users file might look like this:


The first field is the username, and the second field is the encrypted password.

Once you have created your users file, you need to set its permissions so that it is accessible to the web server. To do this, use the chmod command:

     chmod og+r $HOME/public_html/.htpasswd

To restrict a directory to any user listed in the users file just created, you should create a .htaccess file in that directory. The following example will assume that user duke wants to restrict the directory /home/staff/duke/public-html/private. The .htaccess file would be /home/staff/duke/public-html/private/.htaccess, and it should contain something like this:

     AuthName "my_auth_name"
     AuthType Basic
     AuthUserFile /home/staff/public_html/.htpasswd
     require valid-user

The first directive, AuthName, specifies a name for this protected area. The AuthName "my_auth_name" is just an example; you can use any AuthName you like. The AuthType should always be Basic. AuthUserFile tells the server the location of the user file created by htpasswd. NOTE: The AuthUserFile entry MUST NOT be a relative path or a path that begins with the usual shorthand for your home directory, such as ~ or $HOME.

The require directive tells the server which usernames from the file are valid for particular access methods. In this example, the argument valid-user tells the server that any username in the users file can be used. But it could be configured to allow only certain users in:

     require user martin jane

would only allow users martin and jane access (after they entered a correct password). If user art (or any other user) tried to access this directory--even with the correct password--they would be denied.

Once you have created your .htaccess file, you again need to set its permissions so that it is accessible to the web server. To do this, use the chmod command again:

     chmod og+r $HOME/.htaccess