Subject: Protect Apache web resources with .htaccess & .htpasswd
Author: AwsEC2
In response to: How to protect Apache web resources
Posted on: 09/11/2012 07:33:06 PM
.htaccess
The .htaccess file is ACLs in simple text file placed in the directory you want the contents of the file to affect. The rules in the .htaccess file will be enforced on whatever directory it is in and all sub-directories as well, as in SubEntry ACLs
Sample .htaccess file for most cases:
$ cat /home/ec2-user/example2.com/.htaccess
AuthType basic
AuthName "Ooops! Protected Resource ..."
AuthUserFile /home/ec2-user/example2.com/.htpasswd
Require valid-user
Sample .htaccess file for a more complicated case:
$ cat /home/ec2-user/example2.com/.htaccess
## ACCESS INSTRUCTION LIST ###
AuthType basic
AuthName "Ooops! Temporarily Under Construction ..."
AuthUserFile /home/ec2-user/example2.com/.htpasswd
AuthUserFile /home/ec2-user/example2.com/.htpasswd # multiple location
AuthGroupFile /dev/null # optional
Require John # password prompt for John
Require valid-user # password prompt for everyone else from AuthUserFile
Order Deny,Allow
Deny from all
Allow from 192.168.64.5 # Your, the developers IP address
Allow from w3.org # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com # Allows google to crawl your pages
Satisfy Any # no password required if host/ip is Allowed
.htpasswdThe .htpasswd file is the second part of the affair. The .htpasswd file is also a simple text file which contains username/password pairs. The password will be stored in encrypted form and the username will be in plaintext.
Format:
<username>:<encrypted_password>
Sample .htpasswd file:
john:a5MfE987hgwbg
Lauren:98qiJH6hjkp4K
Troubleshooting:
The username in .htpasswd is case-sensitive. John and john are two different users.
Make sure the permissions on the .htaccess and .htpasswd files are set so that Apache can read them.
chmod 0644 .htaccess
chmod 0644 .htpasswd
.htaccess files can be completely ignored by Apache if the administrators opt it with an AllowOverride None directive. In other words, .htaccess files work only if your web administrators allow the following settings:
or
>
> On 09/11/2012 06:44:45 PM AwsEC2 wrote:
Protecting resource on the web is something that most admin will have to do at one point or another. Whether the content is personal or under construction, there comes a time when that content must only be accessed by authorized users. The Apache web server allows two ways to achieve this purpose:
One way is placing the access rules in an external file (.htaccess) which resides directly inside the protected directory.
The other way is placing the access rules inside directory dicretives of configuration file httpd.conf or conf.d/*.conf
References: