This page describes how Apache users can 'username/password' protect
sensitive web pages showing information like home phone numbers
and e-mail addresses.
Web based 'username/password' protection is light-weight protection
like a locking gas cap, meant to keep wandering strangers away from information they don't need.
Written for non-experts, you need to know how to:
- telnet into your account
- create a directory under public_html
- create a text file called .htaccess
Principles of Operation
You create a subdirectory under the "/public_html" directory for holding the
sensitive web pages.
You then create a file called ".htaccess" that tells the
web server to require a 'username/password' for all web pages found in this
directory and its subdirectories.
This ".htaccess" file identifies a separate 'username/password' file that
you create and maintain using the "htpasswd" command.
Create a web page subdirectory
You do all of these steps from a 'telnet' session which in this example
goes to my ISP, "hiwaay.net".
In the examples, the "[text]" fields are places where you provide
a value or copy a value returned from another command.
The "umask 022" file sets the default file
protections so the Apache web server can read your files:
Username: [your username]
Password: [your password]
If you already have a web page with sensitive information,
skip the next step.
It only creates a practice, test web page and directory.
Make a test web page
If making web pages is new to you, use this test page
to practice the technique.
Experienced users may change directory,
'cd', to that subdirectory and skip to the next steps.
The example shows: 'cd public_html' command goes to the default web directory;
'mkdir private' makes the test web subdirectory;
and 'cat - >index.html' copies your input into the "index.html" file.
The end of file (EOF) text "^D" comes from holding down the key
and pressing "D".
cat - >index.html
This is my test page that requires a username/password.
Make sure your test web page is working by using the following URL:
Make a .htaccess and password file
You will need the full path to this web directory:
This step makes the '.htaccess' file and points it to your private
password file, '.ht_passwd'.
It also blocks web access to the '.ht_passwd' file.
The '.htaccess' file is already blocked from web browsers.
cat - >.htaccess
AuthUserFile [web directory]/.ht_passwd
deny from all
You create the '.ht_passwd' password file using the "htpasswd"
command. Entering "htpasswd" with no arguments shows what they are.
htpasswd -c .ht_passwd demo
New password: [demo password]
Re-type new password: [demo password]
Now test the web page and verify the username 'demo' and
password '[demo password]' work.
Many browsers use either [TAB] or a mouse click to select
the 'Username' and 'Password' fields and [RETURN] enters the values.
Conclusions and Cautions
With 'username/password' protection, you can still web-publish
sensitive family photos, birthdays, home numbers and addresses to
those you trust while blocking access by wandering strangers.
But unlike SSL encrypted pages, 'username/password' pages are sent over the
network in the clear and should not be used for critical data.
Furthermore, the same mechanism that allows Apache to serve your web pages
makes them available to those who share your server.
But like the locking gas cap, 'username/password' keeps the curious browser
out of areas they have no business.
Send commments and suggestions to:
$Id: htaccess.html,v 1.5 2002/03/19 19:08:33 bwilson2 Exp bwilson2 $