How to protect personal web pages with a password

From ISRWiki
Jump to navigation Jump to search

This method protects a directory (and all its subdirectories recursively) with one (or more) password(s).

Two files are required: a text file called ".htaccess" (note the leading dot), placed in the directory to protect. Its minimal contents are: 

AuthName "CHANGE ME"
AuthType Basic
AuthUserFile users_file
require valid-user

You can change the string displayed by the browser when the password is asked for ("CHANGE ME"), and the file containing the passwords (users_file). Using an absolute path (e.g., /home/yoda/whatever) is prefered for security reasons. This file should NOT be placed anywhere inside the public_html directory.

The /usr/sbin/htpasswd command can be used to manage this passwords file. Examples: (1) to create a new file called "users_file" with a user called "major" use the recipe: 

/usr/sbin/htpasswd -cm users_file major

(use "man htpasswd" command for further details); (2) to change the password of "major" in the already existing passwords file "users_file, use: 

/usr/sbin/htpasswd -m users_file major

Note that all subdirectories of the one containing the .htaccess file inherit this protection scheme.

P.S.: the .htaccess file, not only allows you to password protect directories, but also to arbitrarly change the web server settings. See the corresponding documentation page to lookup all configuration directives of the apache web server. However, note that not all directives are allowed in user directories for security reasons. The omni web server is configured with the following AllowOverride line at the public_html user directories: 

AllowOverride FileInfo AuthConfig Limit Indexes
Retrieved from "http://mediawiki.isr.tecnico.ulisboa.pt/index.php?title=How_to_protect_personal_web_pages_with_a_password&oldid=2209"