AAPT Home > Support Information > Web Hosting > Password Protection

Adding password protection to your Unix web site

Introduction

Getting it to work

Step One: setup a .htaccess file
Step Two: create a password file
Step Three: test it out

Further Information

By default, the files on your web site are accessible to everyone. While this is suitable for most web sites, you may wish to password protect areas of your site so that only authorised users may gain access. With your Unix based AAPT Web service, this can be done by created or editing a file called .htaccess. This file is used to make changes to the Apache web server software that only affect your web site.

The method of password protection described below is called "Basic Authentication". When a visitor tries to access a protected area of your site, she will be prompted for a username and password. If authentication succeeds, she will be able to access that part of the site until she closes her browser. This because the browser resends the username and password each time it requests a file.

The configuration options in a .htaccess file apply to the directory and all its subdirectories. Apache will look for .htaccess in every directory, so you could (for example) specify an ErrorDocument that applies to your whole site and require authentication for a portion of your site.

This document only descibes authentication based access control. Another method of access control is allowing or denying access based on IP address.AAPT strongly recommends against using IP based access control, since it is a weak form of security, since the source IP address will vary depending on whether end users go via a proxy.

In this example, we will protect a directory called members, located directly under the document root (htdocs). The sample site used is www.example.com, and its FTP login name is example.

Where to put .htaccess: The .htaccess file should be placed in the directory you wish to protect. In this example, we upload it to /www.example.com/htdocs/members/

Create or update: In this example, we assume there is no .htaccess file already. If there is, don't delete it, but instead modify it by adding the lines below. The parts you can modify to fit your site are shown in italics.

AuthUserFile /import/clients/e/example/www.example.com/.htpasswd
AuthGroupFile /dev/null
AuthName "Example Member Area"
AuthType Basic
require valid-user

Now to explain the above configuration directives in more detail:

• AuthUserFile specifies the location of the file that contains usernames and passwords. It is an absolute path, so must start with /import/clients/<first letter of username>/<username>/<site>

  While you can choose where to store the file, in this example we have chosen to place it directly under www.example.com. Because it is not under the htdocs directory, there is no chance of someone accessing the password file with a web broswer. Note that the password file does not have to be in the same directory as the .htaccess file.

• AuthGroupFile specifies the location of a group file. Since we are not using groups in this example, we have entered /dev/null.

  A group file allows you to split your userbase into groups. For example, you could have one password file for your whole staff, then specify groups for each department. Then you could use "require group sales" to allow only Sales staff to access pricing information. More information on groups is available in the Apache documentation.

• AuthName gives a name to the realm (area) you are protecting. It is seen by the user when he logs in. Netscape, for example, would display "Enter username for Example Member Area at www.example.com" in the dialog box that prompts for username and password. The value must be enclosed in quotation marks unless it contains no spaces.

• AuthType indicates the type of authentication to use. Although other types exist, Basic is the only authention type supported by almost all browsers. With Basic authentication, the username and password are sent through as plain text from the browser to the server for each object the user requests.

• require tells Apache that the user must provide username and password. valid-user means that any username in AuthUserFile is allowed as long as the correct password is used. Other than valid-user, options for require include user (only allow specified user) and group (allow any user from the specified group). The Apache documentation contains more information.

To authenticate a user, Apache checks the username and password entered by the user against details in a text file. The name and location of the password file is specified within .htaccess with AuthUserFile.

Each line in the password file contains username and password pairs. The password is stored in an excrypted format and is separated from the username by a colon (:).

The usual way to create a password file is to use a command called htpasswd. These steps show how to make a password file called .htpasswd:

1. Telnet to hosting.connect.com.au and log in with your site's username and the requested One Time Password.

2. Go to the directory in which you want to create the password file. In this example, we use: "cd /www.example.com/".

3. To create the password file, type "htpasswd -c .htpasswd username". The "-c" options tells htpasswd to create the file; omit it if you wish to add a username to an existing password file.

4. You will then be prompted to enter a password for the specified username and enter it again to confirm.

5. If desired, you can add further usernames with "htpasswd .htpasswd username"

The directory you have protected (and its subdirectories) should now only be accessible if a valid username/password pair is entered. To test it:

1. In your browser, go to the URL for the protected directory. In this example: http://www.example.com/members/
2. Enter an invalid username: you should be denied access.
3. Enter a correct username and password: you should be granted access.

If you get an error, or you can't get access with the correct username and password, you will need to review the configuration you created in the above two steps. Common errors that prevent successful authentication include:

• Using an incorrect value for AuthUserFile. For example, setting AuthUserFile to a file called passwords.txt, but storing passwords in .htaccess instead.
• Specifying one username with require, but entering another.
• Specifying an AuthName with spaces, but no quotation marks.

Contact AAPT Support if you have questions, or encounter problems. While it is your responsibilty to maintain your chosen method of access control, we may be able to help by pointing out possible errors.

The Apache documentation is an invaluable resource, which explains all directives including AuthUserFile, AuthType, require, etc. Particularly useful for this topic is the article on "Authentication, Authorization, and Access Control" available at: http://httpd.apache.org/docs/howto/auth.html

Copyright © AAPT Limited