Support - Institutionen för Datavetenskap / Department of Computing Science

Artikel #50

How does one password-protect one's home pages?

To limit access to certain parts of your home pages, use the file .htaccess. By installing such a file, the web server can be directed to require a user name and password from everyone who requests access via a web browser. The user name and password may be those of the UNIX system, or they may be special values which you can specify.

Note that users with accounts on the departmental systems can log on and go to the directories which contain these files; .htaccess provides no protection in this case; rather, the proper file protections must be installed.

The file .htaccess may be created with any text editor. Note that the file begins with a period; thus, it will not be displayed using the normal ls command. Rather, ls -a must be used. The file must reside in the same directory as those which you whose access you wish to limit.

In the following example, the files are protected via private password database.

AuthName "My Secrets"
AuthUserFile /home/c97/c97pld/public_html/secret/.htpasswd
AuthType Basic
require valid-user

The first two lines may be used as-is. On the first line, provide a name for the secret pages (this name is visible when one is asked to give a name and password in the browser). The second line contains the complete path to the file which your users who have been assigned passwords will read from. It is easiest to have this file in the same directory as the .htacess file; the complete path to this directory may be identified easily with the pwd command. (see man pwd for further information). It should be pointed out that it is unwise to have user files in the same directory as the .htaccess file, since it may then be possible for others to download these files using a web browser. However, this is not possible in the case of the file, since the web server will never allow it to be visible.

Note that the full path to the file must be given; it is not possible to use, for example, ~user/public_html/.htaccess, as this form of abbreviation is not valid in this context. To see what ~user expands to, run echo ~user in your shell.

It remains to configure the file .htaccess so that certain users have access to the web page. If the above example has been followed, this may be achieved as follows.

  • Log onto the departmental web server, www8.cs.umu.se.
  • Change to the directory in which the .htaccess file which you created lies.
  • Run htpasswd -c .htpasswd user (see man htpasswd for further information) with user replace with an arbitrary choice which you may make yourself. You will then be prompted for an (arbitrary) password for that user.

You have now come a long way, and should have a functioning system. To add users, use the command htpasswd while leaving out the -c option. If you give that option, the file is overwritten, and all previous user-password combinations are lost (-c = create new file). To remove single users, edit the file .htaccess with an ordinary text editor, removing the lines corresponding to those users to be removed. There is one line per user, which might appear as follows.

username:v3l0KWx6v8mQM
bob:x4DtaLTqsElC2

Each line consists of a user-name field, followed by a colon and then the password in encrypted form.

To protect your home pages with the password database of the system, the following example may be used as a base.

AuthYp On
AuthType Basic
ForceSSL on
AuthName "My Secrets"
Require group tdb hpc2n

In this five-line file, the first three lines may be left intact. The fourth line contains the name of the web pages which will be visible in the web browser when the user is prompted to enter the user name and password. The last line identifies those who will be allowed to log on. Group names and their members are taken from the UNIX system. To specify access by user name rather than group name, use a directive of the form Require user c97pld c96jfn. That should allow users c97pld and c96jfn to log on. The user names and associated passwords are taken from the system database.

To allow log on by all valid users of the system, use Require valid-user.

Related areas

Password , Security , Homepage

Search for: