Using htaccess for web pages

Please note: htaccess is for pages served from OUTSIDE THE WIKI in users directories. The wiki has similar ability, but it is set up differently -Greg

This can be used in many ways, the user and password are not related to our system users and passwords, so you can use anything you like, however, there is no mechanism for the web users to maintain or reset their htaccess password so it can become a maintenance nightmare quite quickly. It seems best used to either give a small group of people access or if you want to create a single “user” for an entire group. In the example we are creating a single user for a course so that some web pages will be restricted to folks in that course.

Security considerations

It's lame and all usernames and passwords go over clear text. Also anything the web can serve is visible to any user logged in to their shell account.

How to set it up in two steps

For the sake of this example, our instructor's account name will be “hopper” and Professor Hopper wants to create a course login for her cs795 “Way advanced topics not offered at Vassar” seminar.

Two files are needed for this system. A password file and an access file. Only one password file is needed, any number off access files may refer to the same password file. The password file should never be put in a location that is served over the web.

The password file does not need to be in the directory of the user where the public_html files are, so you can use the same password file in /home/hopper for files in /home/cs795/public_html/, /home/hopper/public_html and any other course you want to restrict in this way.

Step One - The password file

Somewhere outside of your public_html directory, create a new directory to hold your password file. I suggest using a directory with a dot name to make it a bit more “hidden” and so it does not clutter up your directory listings. You can call it whatever you like. I am calling it “.ht”

        mkdir -m 711 ~/.ht

then create the password file (by convention called .htpasswd or htpasswd) and a user, for the course “cs795”

        htpasswd -c ~/.ht/htpasswd  cs795

It will prompt you for the password for the user.

Any other time you want to add users or change the password for an existing user just leave out the “-c” as the file already exists and giving it the -c again will remove the original file and replace it.

     htpasswd ~/.ht/htpasswd cs795

Will change the password for user cs795.

see the htpasswd man page for full details and other options.

Step Two - The .htaccess file

In the step above you can use any name you like for the password file just as long as you give the full path to it in the access file. However in this step the file name must be .htaccess in order for the web server to use it as an access file.1)

Copy the lines below, put them in a file called “.htaccess” (must be called that). Put that file in a directory that is served by our web server. At that point, access to that directory and any directory below it will require user/password to get to it. You can give more than one user on the require line, just put a space between the names (not a comma).

Make sure the .htaccess file is world readable (chmod 644 .htaccess).

Make sure the “AuthUserFile” line gives the absolute path to the location of the password file. The web server will need that.

AuthUserFile /home/hopper/.ht/htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

<Limit GET>
require user cs795
</Limit>

If you want to limit access to a directory and all the directories below it to web users on campus, put the following lines into a file named .htaccess in the directory highest level directory you want protected:

<LIMIT GET POST>
order allow,deny
allow from 143.229
Deny from 143.229.1.10
</LIMIT>

The .htaccess file must be world readable (chmod 644 .htaccess). Denying 143.229.1.10 prevents the on site google indexer, which would allow a cached version of your page to be viewed off campus.

If you change

 allow from 143.229 

to

 allow from 143.229.6 

then you will restrict access to the CS Department IP space.


1)
Strictly speaking this is not true as we could change our web server to look for it by another name, but short of doing that it must be called .htaccess