Wednesday, November 09, 2005

protect web directories using .htaccess

Here's a tutorial on how to set up password protection under Apache 2.0.54 and Windows 2000
it takes about 5 minutes to set this up and provides an adequate level of protection for files that are web accessible anyway!

1. Open up a command prompt and navigate to your apache2/bin directory, it will be c:\program files\apache group\apache2\bin if you used a default apache installation
2. Type the following command "htpasswd -c filename username" where you choose the name of the password file (remember what you called it) and the name of the user that you want to add to the user list, you will be prompted twice for a password
3. Copy the new password file to a directory outside your web root, you dont want anyone being able to see it
4. You now need to edit your httpd.conf file, if you search for the following string "FileAccessName" that will take you to the correct place in the file. Create a new line after that section and add the following text:

AllowOverride All
Options None
Order deny,allow

Where protected directory is the full path to the directory that needs to be password protected i.e. "c:/webroot/site/"
5. Browse to that directory and create a new text file called htaccess.txt, inside this add the following text

AuthUserFile "path/to/your/password/file"
AuthName "The Message you wish to appear on the prompt that pops up"
AuthType Basic

require valid-user

6. Save this and rename it to .htaccess using your favourite editor (NOT NOTEPAD!!!)
7. Restart apache and try to browse to your newly protected directory, you should be presented with a dialogue box asking you for a username and password (the ones you created earlier!)

This will give you rudimentary protection for the files contained in that directory but there is much more that htaccess can do, for example it can limit access to a specific IP range, so say you have an internet site that is part intranet, you could limit access to the intranet subsection so that it is only accessible to users that have a or a IP address, i.e. those users on the internal network.
I can't cover all the possibilities that this presents, there are simply too many permutations, but there is plenty of help out there, remember google is your friend!

1 comment:

daspeac said...

I think you may also try the repair ms sql database tool