.htaccess
files are very versatile, and can easily become very complex. This
document contains enough information to set simple access
restrictions/limits on a directory in your web space.
Remember to upload .htaccess files, and .htpasswd files using ASCII mode. This is an option is available in most FTP clients.
Username/Password Protection
This schema will prompt web users to enter a CASE SENSITIVE username/password pair before serving any content within the directory containing the .htaccess file. In the simplest of cases there are two files involved, the .htaccess file, and the password file.
The password file is a text file containing a username and an encrypted password, separated by a colon. You can use one password file for many .htaccess files. The entries can be generated here.
Password Generation
a) Usage of the command htpasswd
To create and maintain the password file it is possible to use the Linux command htpasswd. You have to make sure that you are using the same path and filename like in your .htaccess File (AuthUserFile).
For example:
htpasswd -c /PFAD/PASSWORTDATEI name1
htpasswd /PFAD/PASSWORTDATEI name2
htpasswd /PFAD/PASSWORTDATEI name3
Remark: option -c creates a new file
b) Password generation "by hand"
Windows users can use several websites to generate passwords. You have the add this password later to the .htpasswd file:
For example:
user1:ON91eDD9iaeC9
user2:DDE1eXB9eaiF4
user3:XB49e784xsgD
Creating .htaccess file
The .htaccess file would be placed in the directory that needs password protection, and would look something like this:
If
you are using one password file for multiple .htaccess files, and would
like certain users to have access to some areas, but not others, you
may want to try one of the following:
a) specify the users by using require user userid:
<Limit GET POST>
require user cisco
require user bob
require user tim
</Limit>
b) setup a group file. This requires you to specify AuthGroupFile. You can now require group whatever
.htaccess example:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
require group managers
</Limit>
AuthGroupFile example:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja
Restricting by IP Address
This only requires the .htaccess file. There are two approaches to restricting by IP address:
a) deny everyone access, then allow certain hosts/IP addresses
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net
</Limit>
b) allow everyone except for certain hosts/IP addresses
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from .microsoft.com
deny from .evil-hackers.org
deny from 24.112.106.235
deny from morphine.wiretap.net
</Limit>
More Examples
Try crunching the above together into one:
a) only managers can view this page from a .golden.net IP address:
htaccess:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>
AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja
b) managers can view this page from anywhere, everyone else must be from a golden.net IP address:
htaccess:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
Satisfy Any Default is Satisfy ALL
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>
AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja
Remember to upload .htaccess files, and .htpasswd files using ASCII mode. This is an option is available in most FTP clients.
Username/Password Protection
This schema will prompt web users to enter a CASE SENSITIVE username/password pair before serving any content within the directory containing the .htaccess file. In the simplest of cases there are two files involved, the .htaccess file, and the password file.
The password file is a text file containing a username and an encrypted password, separated by a colon. You can use one password file for many .htaccess files. The entries can be generated here.
Password Generation
a) Usage of the command htpasswd
To create and maintain the password file it is possible to use the Linux command htpasswd. You have to make sure that you are using the same path and filename like in your .htaccess File (AuthUserFile).
For example:
htpasswd -c /PFAD/PASSWORTDATEI name1
htpasswd /PFAD/PASSWORTDATEI name2
htpasswd /PFAD/PASSWORTDATEI name3
Remark: option -c creates a new file
b) Password generation "by hand"
Windows users can use several websites to generate passwords. You have the add this password later to the .htpasswd file:
For example:
user1:ON91eDD9iaeC9
user2:DDE1eXB9eaiF4
user3:XB49e784xsgD
Creating .htaccess file
The .htaccess file would be placed in the directory that needs password protection, and would look something like this:
| AuthUserFile /usr/home/lee/htpasswd | - FULL path to the password file. This file doesn't have to be in your public_html. |
| AuthName "Lee's Secret Area" | - This description will appear in the login screen. Multiple words require quotes. |
| AuthType Basic | - Just a line that is required. |
| <Limit GET POST> | - Start of the limit tag. This will set limits on GET's and POST's. |
| require valid-user | - Sets area restrictions such that the user must have a valid login. |
| </Limit> | - End of the limit tag. |
a) specify the users by using require user userid:
<Limit GET POST>
require user cisco
require user bob
require user tim
</Limit>
b) setup a group file. This requires you to specify AuthGroupFile. You can now require group whatever
.htaccess example:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
require group managers
</Limit>
AuthGroupFile example:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja
Restricting by IP Address
This only requires the .htaccess file. There are two approaches to restricting by IP address:
a) deny everyone access, then allow certain hosts/IP addresses
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from 199.166.210.
allow from .golden.net
allow from proxy.aol.com
allow from fish.wiretap.net
</Limit>
b) allow everyone except for certain hosts/IP addresses
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from .microsoft.com
deny from .evil-hackers.org
deny from 24.112.106.235
deny from morphine.wiretap.net
</Limit>
More Examples
Try crunching the above together into one:
a) only managers can view this page from a .golden.net IP address:
htaccess:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>
AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja
b) managers can view this page from anywhere, everyone else must be from a golden.net IP address:
htaccess:
AuthUserFile /usr/home/lee/htpasswd
AuthGroupFile /usr/home/lee/htgroup
AuthName "Lee's Secret Area"
AuthType Basic
Satisfy Any Default is Satisfy ALL
<Limit GET POST>
order deny,allow
deny from all
allow from .golden.net
require group managers
</Limit>
AuthGroupFile:
managers: cisco bob tim jeff kari
systems: lee joe cisco
sales: kari tonja
