This tutorial is designed to provide password protection of web directories on a UNIX/Linux server. If you have a directory that you do not want the general public to have access to, this simple procedure will produce a username and password prompt anytime someone tries to access the directory.

• First we must create was is known as the .htaccess authentication file. This file is the key to providing who has access to the files in the directory and what types of operations they are allowed to perform within the directory. This tutorial will restrict who is able to view (GET) files from the directory and upload (POST) files into the directory. For more elaborate security measures, check out Apache's web site.
  
• Open your favorite editor (Windows®, Notepad works well) or telnet into your web server and use a Unix editor like vi.
  
• Using the text below as a guideline, create a text file where /var/www/html/private/ is the absolute path of the directory where you would like to store your authentication usernames/passwords and My Private Directory is the name you would like for the authentication window.
  

  AuthUserFile /var/www/html/private/.htpasswd AuthGroupFile /dev/null AuthName "My Private Directory" AuthType Basic <Limit GET POST> require valid-user </Limit>

   
  • Note: the absolute path to the .htpasswd file is very important. If unsure about this path, ask your hosting provider or telnet into the server and from the directory you want to keep your usernames/passwords, type pwd at the shell prompt.
    
  • Note: the .htaccess file also protects subdirectories of the directory in which it is placed.
    
• Save this file as .htaccess.
  
• The .htaccess file needs to be placed inside the directory you would like protected. If the file was created on your local workstation, ftp the file into the directory you want protected. If a Unix editor like vi was used, use the mv command to move the file to the required directory.

• Second we must create the .htpasswd file. This file contains the usernames and passwords of those individuals who we authorize access to our directory, and subdirectories.
  
• In order to create this file you must telnet into your server.
  
• Go to the directory, using the cd command, you specified your AuthUserFile (in this example, we specified /var/www/html/private/).
  
• Type htpasswd -c .htpasswd username to create the .htpasswd file and add "username" to list of authorized users. The program will initially prompt you for a password and then ask you to verify it.

• To add new users, use the same command without the -c switch. For example, to add the user foo, type htpasswd .htpasswd foo.
  
• To delete users, open the .htpasswd file, using your favorite unix editor, like vi, and delete the row(s) associated with the specific user(s) that you want to remove.

• Open your browser and type the URL and path to the directory where you placed the .htaccess file. For example, if you placed the .htaccess file in a subdirectory called private that is contained within your web directory, then you would type <http://www.mydomain.com/private/>. If you were successful, you should get a dialog box prompting you for a username and password.

• The most common mistake is not using the correct path to the .htpasswd file in step one above. To be certain that you are using the correct absolute path, follow these steps:
  • Telnet into your server.
  • Use the change directory command, cd, to access the directory where your .htpasswd file is located.
  • Use the list files command with the <all contents> and <long format> options (ls -la) to be sure your .htpasswd file is present.
  • Use the print working directory command (pwd) to display the absolute path to your .htpasswd file. This path should be identical to the path listed in Step 1 (/var/www/html/private/ in the example above).

   

• Another common mistake is misconfiguration of the Apache config file.
  • If you have a hosting provider, contact technical support to verify that they allow their users to use .htaccess authentication.
  • If you host your own server, open your Apache config file using your favorite editor (in RedHat® Linux 7.1, the file can be found in /etc/httpd/conf/httpd.conf).
  • Scroll down the file and make sure the AllowOverride option is set to All.

• If you are still having problems, there are a variety of free password protection scripts written in perl that may be suitable for your needs OR you can purchase .htaccess manager, a easy to use utility which will allow you to customize user password protection on any directory.