At times, when I am browsing the web, I click on a link such as this one and instead of a web page, I get a dialog box asking me to enter my user name and password. And only after I have been authenticated do I get access to the website (or page). This feature of password protection is very simple to implement in Apache web server.
Basically, the whole process of password authentication banks on just two files . Them being :
- .htpasswd - This file contains the user name - password combination of the users who are allowed access to the website or page. This file can reside anywhere other than the directory (or path) of your website. But usually, it is created in the Apache web server directory (/etc/apache2/.htpasswd). This is because, this file should not be accessible to the visitors to the site.
- .htaccess - This file defines the actual rules based on which users are given access or denied access to a particular section or whole of the website. This file should reside in the base directory of one's website. For example, if my website is located in the path '/var/www/mysite.com' and I want to provide user authentication to the entire website, then I will store the file .htaccess in the following location - '/var/www/mysite.com/.htaccess '.
If one is implementing this feature for the first time on one's server, then he has to create the .htpasswd file. I chose to create the .htpasswd file in the apache 2 configuration directory. After this, one can add any number of users and assign passwords to them. This is done by the htpasswd utility which gets installed with the apache2 web server.
# htpasswd -c /etc/apache2/.htpasswd ravi
New password: *****
Re-type new password: *****
Adding password for user ravi
In the above command, -c option asks the htpasswd utility to first create a .htpasswd file in the /etc/apache2 directory. Simultaneously, I have provided the name of the user (myself) and the utility asks me to type a password which is used to authenticate me before allowing access to the site.
Note: Any number of users and their password may be entered in the same .htpasswd file per website.
Now I make this .htpasswd file readable by all the users as follows:
# chmod 644 /etc/apache2/.htpasswd
Next step is the creation of the file .htaccess which will prohibit the full or a part of the website which is situated in /var/www/mysite.com. Since I am interested in password protecting the whole website, I create the file in the /var/www/mysite.com base directory. But if I am interested in protecting only a sub-directory (say by name 'personal') of this site, then I will have to create it in the '/var/www/mysite.com/personal' directory.
# touch /var/www/mysite.com/.htaccessNow I enter the following lines in the .htaccess file :
require user ravi
Here 'AuthUserFile' points to the place where I have stored the .htpasswd flat file which contains the user names and passwords.
AuthGroupFile points to the group file which contains the group of users. Here I have opted to not have a group file and hence points it to /dev/null .
AuthName directive sets the name of the authorization realm for this directory. This name can contain spaces.This is a name given to users so they know which username and password to send.
AuthType value of Basic instructs apache to accept basic unencrypted passwords from the remote user's web browser.
The last line - require user ravi - tells apache that only the user with name 'ravi' should be allowed access provided the right password is entered. If more than one user is to be allowed access, then those user names could also be appended to the line. Suppose I want another user also to access the file, I modify the line as follows:
require user ravi john
And if I want all the users listed in the .htpasswd file to be allowed access, the line is modified as thus:
require valid-userThe .htaccess file also has to be provided the right file permissions.
# chmod 644 /var/www/mysite.com/.htaccess
One more step is needed; that is to change a line in the apache2 configuration file. In a previous article titled "Host websites on your local machine using Apache websever", I had dwelled upon the modular structure of the Apache 2 configuration files.
Following that structure, assuming my configuration file for the website /var/www/mysite.com is stored in /etc/apache2/sites-available/mysite.com , I open the file in an editor and change the following line :
... and save and exit the file. Now restart apache web server to re-read the configuration file.
Note: If you are using apache instead of apache2, then the file to be edited is /etc/httpd/conf/httpd.conf though the lines to be edited are the same.
That is it. From now on any user who visits the website will first have to enter the correct username and password before he is allowed access to the website.