Introduction

This page describes how Apache users can 'username/password' protect sensitive web pages showing information like home phone numbers and e-mail addresses. Web based 'username/password' protection is light-weight protection like a locking gas cap, meant to keep wandering strangers away from information they don't need. Written for non-experts, you need to know how to:

Principles of Operation

You create a subdirectory under the "/public_html" directory for holding the sensitive web pages. You then create a file called ".htaccess" that tells the web server to require a 'username/password' for all web pages found in this directory and its subdirectories. This ".htaccess" file identifies a separate 'username/password' file that you create and maintain using the "htpasswd" command.

Create a web page subdirectory

You do all of these steps from a 'telnet' session which in this example goes to my ISP, "hiwaay.net". In the examples, the "[text]" fields are places where you provide a value or copy a value returned from another command. The "umask 022" file sets the default file protections so the Apache web server can read your files:
telnet hiwaay.net
Username: [your username]
Password: [your password]
...
umask 022
If you already have a web page with sensitive information, skip the next step. It only creates a practice, test web page and directory.

Make a test web page

If making web pages is new to you, use this test page to practice the technique. Experienced users may change directory, 'cd', to that subdirectory and skip to the next steps. The example shows: 'cd public_html' command goes to the default web directory; 'mkdir private' makes the test web subdirectory; and 'cat - >index.html' copies your input into the "index.html" file. The end of file (EOF) text "^D" comes from holding down the key and pressing "D".
cd public_html
mkdir private
cd private
cat - >index.html
<http><title>Test Page</title>
<body>
This is my test page that requires a username/password.
</body></http>
^D
Make sure your test web page is working by using the following URL:

Make a .htaccess and password file

You will need the full path to this web directory:
pwd
[web directory]

This step makes the '.htaccess' file and points it to your private password file, '.ht_passwd'. It also blocks web access to the '.ht_passwd' file. The '.htaccess' file is already blocked from web browsers.

cat - >.htaccess
AuthName "family"
AuthType Basic
require valid-user
AuthUserFile [web directory]/.ht_passwd
<Files .ht_passwd>
order allow,deny
deny from all
</Files>
^D
You create the '.ht_passwd' password file using the "htpasswd" command. Entering "htpasswd" with no arguments shows what they are.
htpasswd -c .ht_passwd demo
New password: [demo password]
Re-type new password: [demo password]
Now test the web page and verify the username 'demo' and password '[demo password]' work. Many browsers use either [TAB] or a mouse click to select the 'Username' and 'Password' fields and [RETURN] enters the values.

Conclusions and Cautions

With 'username/password' protection, you can still web-publish sensitive family photos, birthdays, home numbers and addresses to those you trust while blocking access by wandering strangers. But unlike SSL encrypted pages, 'username/password' pages are sent over the network in the clear and should not be used for critical data. Furthermore, the same mechanism that allows Apache to serve your web pages makes them available to those who share your server. But like the locking gas cap, 'username/password' keeps the curious browser out of areas they have no business.
Send commments and suggestions to: Bob Wilson
$Id: htaccess.html,v 1.5 2002/03/19 19:08:33 bwilson2 Exp bwilson2 $