 |
More than likely, you're using a recent version of Apache that uses the access.conf file. In my Linux distribution (Red Hat 8.0), this file is located in /etc/httpd/conf. If your distribution is different and doesn't locate this file in the same place, simply run locate access.conf to find out where access.conf is tucked away. Take a look at this file; in it you may find something that looks like:
<Directory>
<Directory /var/www/html/admin/>
Options Indexes FollowSymLinks
AllowOverride AuthConfig
order allow,deny
allow from all
</Directory>
This snippet defines for Apache what directory (in this case, /var/www/html/admin) is to be configured with password protection. The
- Indexes allows the server to generate a directory listing for a directory if no DirectoryIndex is specified.
- FollowSymLinks allows the server to follow symbolic links in that directory.
- AllowOverridesets whether any Options can be overridden by the declarations in an.htaccessfile.
- AuthConfig allows usage of the authorisation directives.
- Order controls the order in which allow and deny directives are evaluated.
- Allow specifies which requester (a domain name, all, an IP address, a partial IP address, network/netmask pair) can access a given directory.
These are the primary directives you will use for a password-protected directory. You'll want to define, in a directive similar to the example above, the directory you want to password-protect and how you want it protected. To do this you must su to root, edit and save the file, and restart httpd (which can be achieved with the /etc/rc.d/init.d/httpd restart command).
File setup
With the directories defined, it's time to create the files and passwords associated with the directories. First, you must change to the directory you want to protect. (For this example, I'll use /var/www/html/admin/.) Next, create the .htaccess file with the command touch .htaccess. Open that file with your favourite text editor and enter the following, where USERNAME is the actual username that the administrator or user will log on with:
AuthUserFile /var/www/html/admin/.htpasswd
AuthGroupFile /www.null
AuthName "Authorization Required"
AuthType Basic
<Limit GET POST>
require user USERNAME
</Limit>
Here, you see the following directives:
- AuthUserFile is the path to the password file I'll create momentarily.
- AuthGroupFile is the path to the group password file.
- AuthName creates what is referred to as a realm of protection, which allows users, once successfully logged on, to access any area defined by the same realm.
- AuthType is the type of authorization; this should be set to Basic.
- Within the <Limit> tags, you will define who is allowed access to this particular directory.
Set .htaccess passwords
To finish the .htaccess setup, you must create a password for the user with the htpasswd command. This command will create the password for the specified user and create the necessary password file (as configured in the AuthUserFile directive above).
The syntax of this command is htpasswd password_file_name user. In this case, you're not only creating the user password, but you're also creating the password file, so you need to add the -c (create) flag. Thus, the user will be OBED and the password file (.htpasswd) will be located in the /var/www/html/admin/ directory. For this process to happen, you'll run the command htpasswd -c /var/www/html/admin/.htpasswd OBED. Upon pressing [Enter], you will be prompted for a password that will be associated with the user. The directory will now be accessible only to those in the .htpasswd file.
Using groups
Using single user files is not so convenient when you have a number of users who need access to a specific directory. If you want to allow a group to access a specified directory, you will want to make use of the AuthGroupFile directive in the .htaccess file. In this file, you will replace the require user USERNAME with require group GROUPNAME. You can also use a combination of user and group or even multiple entries of either (or combinations). For example, you could have the following directives in your .htaccess file:
require user USERNAME
require group GROUP1 GROUP2
The next step is to create the group file, which consists of a group name, followed by a colon, and a space-separated list of included users. Let's say you have a group called staff that includes users buffy, willow, giles, xander, and dawn. The entry in the group file for this group would look like
staff: buffy willow giles xander dawn
The group is limited to 8 KB in size (or 8,000 characters).
With the group file in place, you will still need to use .htaccess to create the passwords for the group members (as shown above). To give a new user access to the particular directory, you simply have to add his or her username to the group file.
Logging on
When a user attempts to access the restricted page, he or she will be greeted with a logon screen, as shown in the diagram below.
 |
Looking for something much bigger?
Should your needs become so large that a flat-text database file falls short, you can look to the dbmmanage tool to create standard database format files to use with .htaccess. This method requires a bit more information, which can be found on the Apache Web site.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2003 TechRepublic, Inc.
Do you need help with Web Technologies? 
1
Rex Berglund - 10/06/03
The syntax mentioned,
require user USERNAME
require group GROUP1 GROUP2
doesn't work for me, anyone in the group is allowed, but users specified via the 'require user' directive aren't allowed, do you have any idea what could be wrong?
» Report offensive content