.htaccess file tutorial

An .htaccess file can be used within a web site (if you are running on the apache server) to require a password to access portions of the website.

First off, I am obliged to say, "go read the apache manual", however since I know that it is among the more inscrutable (albeit comprehensive) objects on the planet, I do feel that I should offer a brief summary of "what works for me", with the usual caveats that there might be holes to be aware of that I am not fully aware of. Since we are talking security here, it pays to watch every detail and your backside as well.

You can refer to MY copy of the apache manual or go to the Apache project website.

Now, on with the show ...

For local access control to work at all, you must enable it in your main apache config file. In my case this is /etc/httpd/conf/httpd.conf, and the line that enables this business looks like:

# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#    AllowOverride None
    AllowOverride AuthConfig

If you change this setting, you must restart the server for it to take effect.

A pair of files is actually involved, .htpasswd and .htaccess. Typically you have only one .htpasswd and one or more .htaccess. You want to be careful where you place your .htpasswd file. It people can just fetch it via your web server, you are in trouble!

In my case, the .htpasswd file is entirely outside of my document root. For example if my document root was /disk3/www I would create a directory /disk3/secrets and put .htpasswd in there.

If you aren't on a linux system with access to the command line, you will have to modify what follows. Run the htpasswd program to generate passwords. Here is how you could do it:

htpasswd -bc zzz joe xyz
mkdir /disk3/secrets
cp zzz /disk3/secrets/.htpasswd
rm zzz

This generates a one line password file that looks like:

joe:IdOcjajKM2nKs
If you already had a password file and just wanted to add another line to it, use an editor to apped the contents of zzz or do this:
htpasswd -bc zzz sam abc
cat zzz >>/disk3/secrets/.htpasswd
rm zzz

Now that this is set up, you can just drop an .htaccess file into any directory to protect all points below it.
The .htaccess should look like:

AuthUserFile /disk3/secrets/.htpasswd
AuthName joe
AuthType Basic
<Limit GET>
   require valid-user
</Limit>