This post is not so much a tutorial as my own notes on restricting access with .htaccess files and apache. As has been the case with many of my previous tutorials, the basis is writing the steps down so I can refer to them later. Turns out making notes public on a blog is a good idea. In any event, this will outline restricting access to directories on a user-level with .htaccess.
Create the .htaccess file
To limit access to a directory we need to create a .htaccess file where we will outline the restrictions for the location. Any folder within your publicly accessible web page can have its own custom .htaccess file. note: some shared hosting companies do not allow custom .htaccess restrictions for individual sites. You may need to check with your host on this.
Within your .htaccess file you would include something along these lines:
# sample .htaccess file
AuthName "Private Website"
AuthType basic
AuthUserFile /path/to/.htpasswd
require user username (optional)
In the above sample config “Private Website” can be any message you want displayed to the user when trying to authenticate to that page. /path/to/.htpasswd is what we will work on next in generating usernames and hashed passwords for authentication. require user username can limit access to only those users listed.
Create the .htpasswd file
In the .htaccess file we’ve outlined a path/to/.htpasswd file which we need to also create. It is a good idea to keep this file in a non web-accessible location. For example, if your web root is /var/www/html/ you might put the .htpasswd file in /var/www/.htpasswd. This way it is not accessible publicly and limits the chances of someone being able to get a hold of and attempt to break your hashed passwords for access.
To populate the .htpasswd file we’ll use the command htpasswd. To initially create the file we’d use:
htpasswd -cm /var/www/.htpasswd user-one
The -c will initially create the file. The -m will md5 encrypt the passwords for additional security. The htpasswd command will prompt you for a password.
To add additional users to your .htpasswd access list use:
htpasswd -m /var/www/.htpasswd user-two
Be careful not to use the -c option when adding additional users as this will recreate the file and overwrite previous entries.
Once these two files are in place access to the folder containing the .htaccess file will be limited to only those users listed within the .htpasswd file and require authentication via a password. This is great for sharing web accessible files with only certain users, creating private folders, etc.
If your host allows custom .htaccess file creation but does not provide you access to the htpasswd command you can try to generate your .htpasswd file using an apache installation on a local machine and copying the resulting files over.
Very useful – and easy to understand.
Thank you.
Awesome! Exactly the information i needed
Ubuntu Server 8.10
Is the authentication mod (mod_auth) enabled as part of apache2's core? I went by these instructions and am never prompted for a username/password.
Hi Limer,
Use the following command: sudo a2enmod rewrite
Make sure the file /etc/apache2/sites-available/default contains the "AllowOverride All" (2 times in this file).
Two words for ya.
“You Rock”
Thanks for the assist 🙂
Do you know of anyway with htaccess to disable someone from using your domain to point to their own website on the same server? Ex: they use YOURDOMAIN.com to promote their PHISHING WEBSITE.COM by using this simple URL to send users : YOURDOMAIN.COM/~phishing/file.html
Any help would be greatly appreciated. Thanks
My first question would be why someone else would have access to your website content, allowing them to generate links to other sites. Your content generation should be restricted to trusted users. As far as I know, .htaccess isn’t used to block something like this.
The problem is that the website in question is on a shared server and other users on the same server (same ip) are using mydomain.com to promote their phishing sites. Since they are on the same server as me mydomain.com/~thatuser/phishing.html is accessible. They are simply using other peoples domains to generate links instead of using theirphishingsite.com