Protect web directories

Author: Mattias (mattias@999tutorials.com)
Categories: General www, Apache
Sometimes you need to put important but secret data on a web site. Then it's important to protect it from other persons! Let's say your web stats, your admin section or just your private photo album ;-)
The tutorial:
Digg this, Post to del.icio.us,

You probably have information and functions on websites that is only for you and your staff. One solutions that works often is using PHP or ASP to verify username and password, but sometimes the easiest way is to protect a complete directory of files. For this you need neither PHP or ASP, you need Apache to use a built in function called "htaccess".

Let’s say you want to protect a directory, the first thing you need to do is to create a file named .htaccess in that directory (and other directories to protect). (Very important is the dot in front of the word htaccess)

.htaccess needs some things to work with. The first thing is where to find the file with a list of valid usernames and passwords (.htpasswd). Below is a sample of a normal .htaccess file. Just replace /my/path/to with something that goes for your system, but make sure that the directory is outside the web root so no one can surf to that file. This file will contain usernames and encrypted passwords.

AuthUserFile /my/path/to/.htpasswd
AuthName "Login before getting access to directory"
AuthType Basic

AuthUserFile tells .htaccess where to look for the usernames and passwords.
AuthName is used for defining what text you want on the password box the user will get when accessing the directory.
AuthType defines how the server should handle everything with the authentication. Don’t worry more about this, just write “Basic” there because that is the most usual and best for most purpose.

Q: But how does apache know who is allowed to access the directory?
A: Apache doesn’t right now. But we will enter that information now?

We have two alternatives for this:

  1. All valid users that can enter a username and password that is in the .htpasswd file can see the directory.
  2. We define exactly which users have access to this directory. This is the method I recommend for maximum security!


Either of these solutions we need to add one more row in our .htaccess file at the very end.

Enter this text for the solutions you choose:

  1. require valid-user
  2. require user mattias

Of course you need to replace “mattias” with your own username... :-)

So this is what my .htaccess would look like:

AuthUserFile /home/mattias/.htpasswd
AuthName "Login before getting access to directory "
AuthType Basic require user mattias

The last thing we have to do is create the password file, .htpasswd.
An .htpasswd file is made up of separate lines, one for each valid user. The file is very simple, each line has “username”, then colon, then “encrypted password”.

To generate the password you can use PHP’s crypt() function. Simply create a php file with ‘echo crypt(“your password”);’ and you will get your encrypted password for the .htpasswd file.

Here is what I did for the username “mattias” and password “guitar”.
mattias:fQwRrKlSmpgyk

Important!
If you runt crypt() several times you will get different results, because the function uses something called seed to make it harder to crack. Don’t worry though, apache is capable to handle this.

Once you have created your .htpasswd file you should upload it to a safe directory on your server. It’s very important that the file is not accessible from the web or via public ftp. Make sure the information in .htaccess is correct so apache can find the password file.

The final thing is to surf to the directory you protect to see that it’s protected properly. Happy protecting :-)


Digg this, Post to del.icio.us,
 


eXTReMe Tracker