Protecting Web Directories with Apache

Special tools for httpd.conf, .htaccess and .htgroup managing

ApacheConf

Htpasswd Generator

Apache Commander

Table of contents

Provided that the facility is enabled in the Apache web server, it is possible to protect parts of your web site from unauthorised visitors so that a logon and password is needed for access. This is done by creating a file called .htaccess in the directory to protect (as detailed later) and that directory and any below it are then protected. The actual list of people allowed to access the directory are contained in a second file usually named .htpasswd (but this can be different) which may be in the same directory, or ideally in the web site root to make it harder (but not impossible) for site visitors to access.

Does your web server support protection?

Ideally, just ask your ISP! But support is not always what you would expect, so you can check whether password protection is available by copying the .htaccess file supplied into a sub directory on your web site (not the root), perhaps /private/. Your browser should then come up with an error when accessing files in that directory, probably 500 something which means server error because the password file will not be found.

.htaccess file

This file is a simple text file that contains the file path for the .htpasswd file and the greeting that visitors will see when the logon dialog appears.

Example:

AuthUserFile /pub/site.com/.htpasswd
AuthName "For registered users only"
AuthType Basic
<Limit GET POST>
  require valid-user
</Limit>

The AuthName argument is the message that appears in the logon dialog, the other information should not be changed.

Unless your ISP has provided the full UNIX file path to your web site, you will probably need their assistance in getting the correct AuthUserFile. However you may be able to use a server side include (SSI) page, assuming that the web server has that feature enabled. So copy the file ssitest.shtml to your web server and access it from your web browser. It must have the extension SHTML (not SHTM) otherwise the SSI will not be processed. The SSI command:

<!--#echo var="DOCUMENT_ROOT"-->

should be replaced by the full path name to your root, while SCRIPT_FILENAME will show the full path and file name to the SSI document you are viewing. So the AuthUserFile will be similar but with the file name replaced by .htpasswd.

To know more about using the .htaccess file read this article: "Practical solutions concerning the use of the .htaccess file" and "Hot to get the full path on the server?"

.htpasswd file

This file is much simpler, containing one line per registered user, nothing else, make sure there are no trailing spaces after the text:

JohnButler:DsVNh9Oj.WTAs
Client12:cl/4k7z97YxWk
Boss:VT761B6b0Iio2

So in the first line the user name is 'JohnButler' with password 'nightmoon' and it encodes to that shown.

The passwords are generated by htpasswd program included in Apache server. But if you are going to manage many users, to group the users, periodically change their passwords and permissions, then you can use the special free program Htpasswd Generator. It will help you to manage this and other authentication files.

Note that there's a random element to the encryption, so the same name and password may encrypt to a different result using different programs.

For larger web sites, you may want to restrict different directories to different users. This is done by putting an .htaccess file in each directory to be protected, and then having two or more password files, for instance .htpaswd1 and .htpaswd2. Be sure to edit the .htaccess file so the AuthUserFile matches the correct password file.

Uploading the file to your web site

It's important that these files do not have extensions and have the correct name. Old Windows does not like files starting with . and without extensions, so you may need to rename them on the web server after FTP'ing them, and then FTP them back to the PC with the correct names.

What programs do exist for managing of the .htpasswd, .htgroup and .htaccess files?

There are several programs for managing and editing these files.

If you need only the manager of these files then the best choice is Htpasswd Generator. There is the Lite freeware version for novice and Professional version for advanced users.

And the most powerful Graphical User Interface (GUI) for Apache server tuning has ApacheConf. ApacheConf is a shell (GUI) for configuring Apache web servers that will help you to tune the main configuration httpd.conf file. ApacheConf presents all the information in the httpd.conf file in a structured view. All of the server's directives are grouped by category (Global directives, Directories, Virtual hosts, etc) and all these groups are represented as a tree. In this way,you can see the entire structure of the server at a glance and you can easily manage all of the server's directives, as well as the directories and virtual hosts.