Restricting Access (Regular Server)

Web Design > Restricting Access (Regular Server)

If you wish to restrict access to a Web directory on the regular server to a specific list of users, the list of valid users will be contained in your htpasswd file, which is created and modified by the htpasswd program. This file is stored in your directory and maintained by you, so you will need to enter the usernames and passwords yourself. You are the only person that can change passwords and add new users to the file.

The passwords in this file are encrypted using a simple algorithm, so it is important that your htpasswd file should not be publicly readable. At the same time, your htpasswd file must be readable by the web server. Therefore, it is important that you follow these steps when creating your htpasswd file. After you are familiar with the process you can try different directory names and file names.

Create the htpasswd File

Create an empty directory.

$ mkdir ~/passwd
Use the setweb program to put that directory in the www group and make it group readable.

$ setweb ~/passwd
In that directory create a new password file containing your username. If your username is xyz4 you would type

$ htpasswd ~/passwd/htpasswd xyz4
Type the password that you will use to access Web documents. Make up a new password: do not use your CUNIX password here.
Additional usernames can be added using the htpasswd program

$ htpasswd ~/passwd/htpasswd jkl3
Type the password that jkl3 will use to access Web documents. Tell them to make up a new password: do not use their CUNIX password here.
The htpasswd program will make sure that your password file is not publicly readable.

The htpasswd file was created in the ~/passwd directory so it will be in the www group. You can move it to another directory but we recommend that you leave it there. If your password file is not in the www group then you forgot to run setweb (see above).

If you decide to use separate password files for various web directories we recommend that you put them all in the ~/passwd directory. But it would be easier to create a single password file and use it for all your web directories that need to be restricted.

Create the .htaccess File

Use the echo command to determine the full path to your htpasswd file

$ echo ~/passwd/htpasswd

If your username is xyz4 the system would respond this way

/h/u4/x/xyz4/passwd/htpasswd

Go to the Web directory to which you want to restrict access. If you are going to restrict access to your ~/public_html/private directory, you would type

$ cd ~/public_html/private

Create a file called .htaccess in that directory, bearing in mind the path information obtained earlier (e.g. /h/u4/x/xyz4/passwd/htpasswd). The .htaccess file should contain these directives, at least

AuthUserFile /h/u4/x/xyz4/passwd/htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

require valid-user

The "require valid-user" directive will permit access to any user in your htpasswd file. Alternatively, you could name all the users that should have access, for example

require user xyz4
require user jkl3

Make the .htaccess File World Readable

Using the chmod command, add read access for everyone.

$ chmod a+r .htaccess

Conclusion

Any Web access to a file in your private directory will cause the browser to prompt for a username and password. Since you are the owner of that file, you are the only person that can change passwords and add new users to the file. Use the htpasswd program to modify that file.

$ htpasswd ~/passwd/htpasswd jkl3

You can also include the "satisfy any" directive to allow access by domain name or by password. In that case the web browser would not prompt for a password if the user is in the specified domain:

AuthUserFile /h/u4/x/xyz4/passwd/htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

satisfy any
order deny,allow
deny from all
allow from .columbia.edu
require valid-user

« Back to Restricting Access

Setting Permissions
Creating a Logout Page