Tuesday, January 4, 2011

Password Protect a Directory or File with .htaccess htpasswd

SkyHi @ Tuesday, January 04, 2011
A tutorial explaining how to restrict access to a directory on a web server using .htaccess.

# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit

<Directory /var/www/example.com/html/admin>
AllowOverride All

Password protecting a directory can be done several ways. Many people use PHP or ASP to verify users, but if you want to protect a directory of files or images (for example), that often isn't practical. Fortunately, Apache has a built-in method for protecting directories from prying eyes, using the .htaccess file.

In order to protect your chosen directory, you will first need to create an .htaccess file. This is the file that the server will check before allowing access to anything in the same directory. That's right, the .htaccess file belongs in the directory you are protecting, and you can have one in each of as many directories as you like.

You'll need first to define a few parameters for the .htaccess file. It needs to know where to find certain information, for example a list of valid usernames and passwords. This is a sample of the few lines required in an .htaccess file to begin with, telling it where the usernames and passwords can be found, amongst other things.

AuthUserFile /full/path/to/.htpasswd 
AuthName "Please Log In" 
AuthType Basic

You've now defined a few basic parameters for Apache to manage the authorisation process. First, you've defined the location of the .htpasswd file. This is the file that contains all the usernams and encrypted passwords for your site. We'll cover adding information to this file shortly. It's extremely important that you place this file outside of the web root. You should only be able to access it by FTP, not over the web.

The AuthName parameter basically just defines the title of the password entry box when the user logs in. It's not exactly the most important part of the file, but should be defined. The AuthType tells the server what sort of processing is in use, and "Basic" is the most common and perfectly adequate for almost any purpose.

We've told apache where to find files, but we've not told it who, of those people defined in the .htpasswd file, can access the directory. For that reason, we still have another line to define.

If we want to grant access to everyone in the .htpasswd file, we can add this line ("valid-user" is like a keyword, telling apache any user will do):
require valid-user

If we want to just grant access to a single user, we can use "user" and their username instead of "valid-user":
require user dave

A normal and complete .htaccess file might look like this:
AuthUserFile /home/dave/.htpasswd 
AuthName "Dave's Login Area" 
AuthType Basic 
require user dave

Now we have almost everything defined, but we are still missing an .htpasswd file. Without that, the server won't know what usernames and passwords are ok.

An .htpasswd file is made up of a series of lines, one for each valid user. Each line looks like this, with a username, then colon, then encrypted password:

The password encryption is the same as you'll find in PHP's crypt() function. It is not reversible, so you can't find out a password from the encrypted version. (Please note that on page 2 of this article is a tool to help you generate an .htpasswd file, that will help you encrypt passwords).

A user of "dave" and password of "dave" might be added with the following line:

Each time you run an encryption function like "crypt", you will almost certainly get a different result. This is down to something called "salt", which in the above case was "XO" (first two letters of encrypted password). Different salt will give different encrypted values, and if not explicitly specified will be randomly generated. Don't worry though, the server is quite capable of understanding all this - if you come up with a different value for the encrypted password and replace it, everything would still work fine, as long as the password was the same.

Once you've created your .htpasswd file, you need to upload it to a safe location on your server, and check you've set the .htaccess file to point to it correctly. Then, upload the .htaccess file to the directory you want to protect and you'll be all set. Simply visit the directory to check it is all working.
.htpasswd Generator

The .htpasswd file needs encrypted passwords, which can be a problem for anyone without experience with a programming language. For that reason, I've created this simple tool, which, if you enter the username and password you wish to use, will generate the appropriate line to add to your .htpasswd file.
#-c Create the passwdfile for the first time
#-s SHA encryption

$ htpasswd -sc /var/www/html/www.cgs.ca/.htpasswd cgsociety

To prohibit downloading of your .htpasswd & associated files your .htaccess should look something like this:

AuthType Basic 
AuthName "Authorization Required" 
AuthUserFile /path/to/.htpasswd 

<files ~ "^\.ht"> 
Order allow,deny 
Deny from all 


<Limit GET POST> 
require user username 


iPasswd - .htpasswd password generator

iPasswd is an online password generation tool for .htpasswd files. These files store a username and password combination (one per line of the file) which is used with .htaccess Basic Authentication. iPasswd also supports MD5 passwords, used in Digest Authentication.

* Enter a username below. (Note: the username is case sensitive.)
* Enter a password below (Note: the password is case sensitive.)
* If your server uses MD5 password encryption, select the checkbox. If you do not know, leave this unselected.
* Click the "Generate" button.
* Your username and encrypted password will be displayed in a new window.
* Copy and paste the username:password into your .htpasswd file (using a text editor). You can have as many usernames as you want. Each username:password pair must be listed on its own line in the .htpasswd file.
* Upload the .htaccess file to your web site. It should be located in a directory which is not accessable via a web browser (not your "public_html" directory).

User Name:
Use MD5 password encryption
Create .htaccess file

The .htaccess file tells the web server whether to use password protection on files that it is serving.

You'll need to know the full path to your .htaccess file. This is probably something like:


Ask your web host if you do not know the full path to your home directory.

Upload the .htaccess file into the directory you want to protect, or the directory containing the files you want to protect.

You should use one of the following, depending on whether you want to protect all files or just some files in a directory. Replace /full/path/to/.htpasswd with actual pathname of your .htpasswd file. Replace "Please Login" with the message you want displayed when visitors are prompted for a password.
Directory Protection
To protect all files in a directory use a .htaccess file like this:

<Files ".ht*">
order allow,deny
deny from all

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "Please Login"

require valid-user

File Protection

To protect only certain files in a directory, use a .htaccess file like this.
<Files ".ht*">
order allow,deny
deny from all

<Files private1.html private2.html>
AuthUserFile /home/pathto/.htpasswd
AuthType Basic
AuthName "Please Login"
Require valid-user
You can use * wildcards in file names to match multiple files.

If you are familiar with regular expressions, you can replace the Files directive with FilesMatch.

For complete specs of .htaccess password protection see the Apace mod_auth documentation

Basic passwords are easy to reverse, meaning that if someone gets hold of your .htpasswd file, they can find out your password. MD5 passwords do not suffer from this, so if your web host supports it, using MD5 passwords will provide protection against this. To do so, change the "AuthType Basic" to "AuthType Digest" in the .htaccess file and use MD5 passwords in your .htpasswd file.