Password protecting Apache web pages

Dec 08, '00 11:29:49AM

Contributed by: robg

[Editor's note: I have added one key missing instruction about modifying apache.conf to the details; this is also discussed in the comments.]

"Guestwhat" wrote in with a question:

Could someone help me to enable a turn key on my web site in Mac OS X Beta? What I meant was when a user log go to my web site I want to have a username and password inorder for them to access.
One method of doing this is with .htaccess files. When your server goes to serve a page, it looks in the top directory for an .htaccess file, and then checks each sub-directory down to and including the directory that holds the requested page. So if you place an .htaccess file in the top directory of your server pages folders, you will protect all the files in your domain. Read on to see how I used this to protect my home site.

Let's assume that your username is foo, and that your web server files are in the default OS X location, /Library/WebServer/Documents. You need to do the following from within a terminal session. I'm going to use vi as the editor, but pick your personal favorite.

cd /Library/WebServer/Documents
vi .htaccess
Insert the following lines in the new file:
AuthUserFile /Users/foo/webstuff/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
<Limit GET>
require user username
</Limit>
Notice that the first line references a file outside the web server's structure. In this case, I used a folder called "webstuff" in foo's user directory. You could also add group restrictions, but in this case, I'm just protecting for users ("username" in the sample). Obviously, replace this with the real user name you'd like to use. You can also limit the users to actions other than GET, ie POST or PUT for cgi-bin files. Just add them (with a space between) to the "Limit GET" line.

Next, you need to create a password for username in the location you specified. The htpasswd program will do this for you:
htpasswd -c /Users/foo/webstuff/.htpasswd username
You will be prompted to enter the password twice.

New step added The last thing you need to do is to edit the "apache.conf" file. From a terminal session, using your favorite editor, edit:
/Library/WebServer/Configuration/apache.conf
You want to find the section that looks like this:
#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", None or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
AllowOverride None
Change the last line to read
AllowOverride AuthConfig
(You can read the comments if you want a brief explanation of what this does). Save your changes, and restart your webserver. The easiest way to do this is in the terminal
apachectl restart
That should do it; after completing these steps, you will be required to enter your chosen username and password before opening any page on your site. You can use variations in certain subdirectories to further control access. For example, if you put the .htaccess file in a subdirectory named "vipstuff," then anyone could browse your site password-free, until they requested a page in the "vipstuff" directory.

Disclaimer: I am not a security expert by any stretch, and I don't claim to know just how secure this method is on a hacker-proof scale!

Comments (9)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20001208112949174