Customer Resource: How to password protect a Directory

The Apache web server allows you to password protect directories with the .htaccess and .htpasswd configuration files. If you would like to protect a directory on your site, please follow the instructions below.

Create a directory on the server
Use your favorite ftp client to create the directory you want to protect on the server. The directory has to be created in the directory tree under htdocs.

Example:
Let's say I want to protect a test directory. I would create this directory called "test" in "htdocs".

Creating the .htaccess file

First you will have to create the .htaccess file.
You should copy the lines below and save them as a plain text file with the name ".htaccess".
Please copy everything between the " BEGIN .htaccess " and " END .htaccess " lines:

----------- Begin .htaccess ---------

AuthUserFile /www/home/your_domain.com/htdocs/your_directory/.htpasswd
AuthName Protected-Area
AuthType Basic
<limit GET>
require valid-user
</limit>

----------- End .htaccess ---------

After you have copied these lines into a new text file, you will have to modify the AuthUserFile directive.

AuthUserFile:
Please replace "your_domain.com" with your domain name and "your_directory" with the name of the directory you want to protect. This directory has to be created beneath the htdocs directory.

Example:
Let's say my domain name is "anything.com" and my directory is called "test". Then my AuthUserFile directive would be:

AuthUserFile /www/home/anything.com/htdocs/test/.htpasswd

Finally, save the document as a plain text file and name it ".htaccess", (without quotation marks and in lower case). After saving, please verify that your text editor has not appended the file extension ".txt". You may have to rename the file from ".htacess.txt" to ".htaccess".

Creating the .htpasswd file

The next step consists in encrypting your password and creating the password file.

Please choose a username and password and use the form below to obtain your password hash.

Copy the line into a new text document and save it as ".htpasswd" (and again without quotation marks,in lower case, and no ".txt" file extension).

Example:
The password file entry for the user Bob would look something like this:

----------- Begin .htpasswd---------

Bob:axFAaXpmb81qQ

----------- End .htpasswd----------

For several users, just add their password hash, to the password file on a separate line.

----------- Begin .htpasswd ---------

Bob:axFAaXpmb81qQ
peter:99og8d/51IPt.
pierre:oMkE9ZNU1mASU
mark:VhMS7KdsN.rlc
john:E.DSv1KG/Bg/.

------------ End .htpasswd -----------

Upload both configuration files into your directory!

Now that you have created both configuration files, you have to ftp both files into the directory you want to protect. Make sure that you upload both files in ASCII mode, i.e. as text and not in binary. Also, make sure that the file names are indeed ".htaccess" and ".htpasswd", and that they are in lower case, no quotation marks, and without a ".txt" file extension.

If you try to access your directory now in your browser, you should be prompted for a username and password.

Voila, done!

Common questions!

• How do I delete a user?
  To delete a user, simply remove the name and password from the .htpasswd file and upload the file again.
• Can my protected directory be located elsewhere in the directory tree then directly under htdocs?
  Yes! Your directory can be created anywhere in the directory tree under htdocs. However, you will have to modify the AuthUserFile directive and indicate the full path to your directory.
• Can I password protect my whole site?
  Yes! Just place the .htaccess and .htpasswd files in your home directory and modify the AuthUserFile directive to " AuthUserFile /www/home/your_domain.com /.htpasswd".
• I have quite a large list of users. Can In organize my users in groups?
  Yes! Htaccess allows you to organize your users in groups.
  Just add the AuthGroupFile directive to your .htaccess file and create the .passwd.group file.
  You can then restrict acess by groupnames by placing an .htaccess file into a directory that you want to protect, and by specifying the group or groups with the require group directive.

Please find an example below.

----------- Begin .htaccess ---------

AuthUserFile /www/home/your_domain.com/.htpasswd
AuthGroupFile /www/home/your_domain.com/.passwd.group
AuthName Protected-Area
AuthType Basic
<limit GET>
require group groupname1
</limit>

----------- End .htaccess ---------

----------- Begin .passwd.group ---------

groupname1: user1 user2 user3
groupname2: user5 user6 user7

-------- End .passwd.group ---------

----------- BEGIN .htpasswd ---------

user1:axFAaXpmb81qQ
user2:99og8d/51IPt.
user3:oMkE9ZNU1mASU
user5:VhMS7KdsN.rlc
user6:E.DSv1KG/Bg/.
user7:H8kfR3.iP6V

------------ END .htpasswd -----------

• Can I restrict acces to my site by IP or domain name?
  Yes! The following is an example of how to allow access to certain IPs or domains.

----------- Begin .htaccess ---------

<Limit GET>
order deny,allow
deny from all
allow from .allstream.com
allow from 216.209.194.135
</Limit>

----------- End .htaccess ---------

• The "order deny, allow" command specifies the order in which the deny/allow commands are processed.
• The "deny from all" command specifies that all host names and addresses that will be denied access to the page in the directory.
• The "allow from" command specifies a list of hosts and addresses that will be allowed access.

In this example, all access is denied to all browsers in the third line, then the next two lines allow access from any browser from "allstream.com" and from the IP "216.209.194.135".