Using Passwords

You need to create a file called .htaccess in the top level directory you wish to protect with passwords. So if you wised to protect a directory called ~username/public_html/top_secret, you should create .htaccess file there. It should have the same permissions as a normally served document (aka 444, or a=r). The following is pretty much what the file should look like:

AuthType Basic
AuthName REALM
AuthUserFile USER_FILE_PATH
AuthGroupFile GROUP_FILE_PATH
<Limit GET>
require group GROUP_NAME
</Limit>

REALM is the information to be presented to the person trying to access your pages so they have some idea what username and password to use. It is an arbitrary string. (IE. Top_secret, or Top Secret Directory).

user_file_path is a complete path (ie. /usr/users/lt/goebel/stuff/users) where you will have stored the usernames and passwords. They are stored in the file one username and password, seperated by a colon, on single lines. The passwords being generated on emunix by a program called htpasswd.

An example user_file could look like.

mattias:password1
dilbert:password2

The group_file should be lists of groups followed by a colon, and then a list of the users in the group.

An example group_file could look like.

buttheads: dilbert
shoes: dilbert mattias

Neither the group nor user file should be in your web directory, but it should be readable by the web daemon (aka world read).

Allowing or denying by IP/domain

You need to pick the top level directory you want protected and there create a .htaccess file. It should contain something along the lines of :

<Limit GET>
order deny,allow
deny from all
allow from 164.76.
</Limit>

This will allow only connections from machines with ip which start with 164.76.

The order directive tells the server in which order to test the deny and allow directives.

1) deny,allow : the deny directives are evaluated before the allow directives.

2) allow,deny : the allow directives are evaluated before the deny directives.

So you can deny everyone but a select few, or only allow a few certain sites to look at certain directories.

Actual Apache Documentation


last updated 28 August 2000
Mr. Information: info@emunix.emich.edu
Just who is Mr. Info anyway? The world may never know...