If you have a web site that contains sensitive documents such as test results, scripts, or an administration section, then you need directory security to stop unauthorized people from accessing certain parts of your site. In this article, Hassan will show you how to setup htaccess security for folders on your Apache web server.
Securing Directories With htaccess - The .htaccess file explained (Page 2 of 4 )
Htaccess is a username/password authentication scheme that is triggered whenever a certain directory/file on a htaccess aware web-sever (such as Apache) is requested. Htaccess is a plain-text authentication method, which means that your username and password are sent across the net as plain, un-encoded text. Although there is a slight change that someone using a packet sniffer could sniff the appropriate packets, plain-text authentication is just as safe as starting a telnet or ftp session.
To secure a directory on your web server using .htaccess, you create two files:
.htaccess: This file stores a list of preferences and details relating to the authentication methods and permissions of the current directory.
.htpasswd: This file stores an encrypted list of username and password combinations which are used by the Apache server in conjunction with the .htaccess file to grant/deny permission on a per session basis (I say “per session”, because most browsers automatically remember your login details for the length of a single session. This means that you won’t have to enter them for every page request. The browser will do it for you automatically).
It is important to remember that a .htaccess file that resides in /dir1 will also protect any sub-directories of /dir1, such as /dir1/sub1, unless there is a .htaccess and .htpasswd file located in /dir1/sub1 as well. If there is, then they will override the parent .htaccess and .htpasswd files. In other words, the htaccess authentication scheme is spawned hierarchically by default.
The .htaccess file acts like a configuration script, and provides the Apache server with some details and options whenever authentication is required. Create a new file named .htaccess on your local machine. Enter the following data into the .htaccess file:
AuthName My Secure Directory
As you can see, our .htaccess file is separated into two sections: The authentication request details section, and the user permissions section. Lets break down each section.
On the first line, we have a reference to what is known as a .htpasswd file. This file stores a list of username/password combinations which Apache uses to validate each login attempt (more on this file soon).
In our example above, our .htpasswd file is located in the virtual directory /www/htdocs/secure. You should change this to match the virtual path of the directory that you want to protect.
On the second line, we have a reference to an authentication group file. This file is used to separate users into groups based on a common interest or focus, such as students and teachers, for example. We will not be using a group file, so we specify /dev/null, which tells Apache that one doesn’t exist.
AuthName My Secure Directory
On the third line, we set the authentication name. The authentication name can be anything you like and is displayed as the “Realm” when the users authentication details are requested, as shown below:
The AuthType variable sets the authentication type for the request. Because we are using basic web-based authentication, we simply set it to Basic. Other values include PGP and Digest.
The next section of our .htaccess file, the users permissions section, sets the request and response methods that an authenticated user has access to:
In our .htaccess file, we allow authenticated users access to access any part of our site where the GET method is available (Basically, users can view a page, but they can’t fill out any forms, etc). Other limit values include PUT and POST.
Between the <Limit> and </Limit> tags, we can either list a number of users who will have access to our protected directory using the “require user” keywords, such as:
require user joe
require user fred
require user jane
Or, (as we have done our .htaccess file) we can simply grant access for any valid user:
That completes the description of a basic .htaccess file. When an un-authenticated user visits our protected directory, the .htaccess file is loaded and parsed by Apache, and an authentication dialog box is shown. Now that we know how to set the options for an authentication requesuest, it’s time to actually add users to our authentication list.
This can be done using the standard htpasswd program.