Restricting access to directories and html files using HtAccess

Introduction

HTAccess is a NCSA-compatible (our server is) way to use password protection on HTML documents and server directories. You can set up your web directories to require userids and passwords for access to web objects in them. When properly set up, the web server will request a userid and password from the web browser. The web browser in turn requests this information in a pop-up window; after you provide the information, the browser remembers the userid & password for the duration of the session and supplies them to the web server each time you access protected objects.

This means that you need to exit your browsers when you have finished using them. Otherwise, hackers can continue to use your browser to access protected files without having to enter a userid and password.

In this context each person accessing the protected content does not need to have an individual userid. For example, all students in a class may share a single userid.

Notes about HtAccess files:

1. They must be world readable, or the webserver will not be able to see what needs restrictions and will restrict your entire directory. The directory in which the files are kept should be world searchable.
2. They restrict in the directory they are located in, and all subdirectories, this means if you have a broken .htaccess file and you move it from your public_html directory to your home directory, your webpage will still be unviewable.
3. If there is an error in your .htaccess then access to your webpage will be restricted until the error is corrected.

Basic Procedure

There are three files involved: .htaccess, .htgroup and .htpasswd. The basic procedure is as follows:

• You "create" a userid in a special password file. The command (to be typed in at a Unix shell such as a terminal window) is:
  

  htpasswd [ -c ] .htpasswd userid

  The "-c" option should be included if and only if the password file ".htpasswd" does not already exist. If it is used and the password file exists, then the previous contents of the file will be lost. This password file can reside anywhere the web server can see it and is normally called ".htpasswd". I'd recommend putting it in ~/public_html. The htpasswd program will prompt you twice for the password of the new user you are adding.

  The .htpasswd file looks like this after two users have been added:

  user1:NijEBcC2UX7XQ
  user2:2KQuglF10vI4s
  

  Make sure that the .htpasswd file is world readable. If not, change permissions using:

  chmod ugo=r,u+rw ~/public_html/.htpasswd

• In the directory you want to protect, create a .htaccess file. This file looks like this:

  AuthUserFile /home/path_to_home_dir/public_html/.htpasswd
  AuthGroupFile /dev/null
  AuthName ByPassword
  AuthType Basic
  
  <limit GET POST>
  require user user1
  require user user2
  </limit>

  Or if you want to easily allow access from anybody in your .htpasswd file then use this:

  AuthUserFile /home/path_to_home_dir/public_html/.htpasswd
  AuthGroupFile /dev/null
  AuthName ByPassword
  AuthType Basic
  
  require valid-user

  The files in the directory can now be accessed only by user1 and user2 (or in the second case anybody in .htpasswd). Note that AuthUserFile specifies an absolute path to your password file.

  Make sure that the file is world readable. The UNIX command to do that is:

  chmod ugo=r,u+rw ~/public_html/restricted_dir/.htaccess

• You can also create groups by using a .htgroup file. The .htgroup file can reside anywhere the web server can read files (I'd recommend public_html) and looks like this:

  class1: user1
  class2: user2
  all: user1 user2
  

  A .htaccess file which uses this group file looks like this:

  AuthUserFile /home/path_to_home_dir/public_html/.htpasswd
  AuthGroupFile /home/path_to_home_dir/public_html/.htgroup
  AuthName ByPassword
  AuthType Basic   
  
  <limit GET POST>
  require group all
  </limit>   
  

  Like AuthUserFile, AuthGroupFile must specify an absolute path here.

  The above file would be for access to public_html; a subdirectory called "class1" could have the following (different) .htaccess file:

  AuthUserFile /home/path_to_home_dir/public_html/.htpasswd
  AuthGroupFile /home/path_to_home_dir/public_html/.htgroup
  AuthName ByPassword
  AuthType Basic
  
  <limit GET POST>
  require group class1
  </limit>
  

  In other words, user1 and user2 can access public_html (with the correct password for each) but only user1 can access public_html/class1.

Deleting users

To delete one or more users, delete the corresponding line(s) in the .htpasswd file. To delete all users, delete the whole .htpasswd file, and remove mention of it from the .htaccess file (unless you plan to create some new users).

Security Issues

It is possible to use names other than .htpasswd and .htgroup for the password and group files. This is not advisable, though, since this may create an opportunity for the contents of these files to be revealed to web users. The web server will not allow web access to any files beginning with .ht, or to any files located outside of public_html (unless they can be accessed by symbolic links contained within public_html). You should keep this in mind if you choose different names for these files. However, the best way to avoid this problem is to use the standard names, as above.

General References on HtAccess

These are public documents that have more information about password protecting a site with HtAccess

• NCSA User Authentication Tutorial
• The HtAccess Authentication Tutorial
• Controlling access to your site with HtAccess

Last updated 16 September 2006