Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create protected web-access user folders via Apache UNIX
In this hint, we will set up a directory on a web server so that it will ask a web user for a username and password, and then take them to their own folder within that directory. There are a lot of variations that can be made off of this hint, but those are up to the reader.

This variation will prompt a user for a password and if properly given, will take that user to their own folder. It will display that folder as if it were the top-level folder in that directory (that makes sense once you play with it). This tip requires nothing that does not come with MacOS X out-of-the-box, and should be fairly secure. I am going to assume that the reader:
  • has turned on WebSharing on their computer
  • is comfortable with using the command line, including a text editor (of their choice) and sudo (and has sudo rights -- i.e. the user is an admin)
Read the rest of the hint for the how-to...

The first thing to do is to change a couple of the default settings in the apache configuration file to allow us to control the security of the directory we are going to work on. So we need to open /etc -> httpd -> httpd.conf for writing and find this section:
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
    AllowOverride None
Change the last line to:
    AllowOverride All
We don't actually need All, but lets be simple here. You also need to restart apache, so that it picks up the changes. Next we need to make the directory that is going to be the home base for all of this. For this tip, I am going to use the directory name passwordtest, and I am going to put it right in /Library -> WebServer -> Documents. We will also create the directory that will hold all of the user folders. So the commands for this are:
$ cd /Library/WebServer/Documents
$ mkdir passwordtest
$ cd passwordtest
$ mkdir users
Now we need to setup our first user. To do this, we are going to create a .htpasswd file and put the user into it, and then create a directory with the same name in the users folder. For the purposes of this tip, we are going to put the .htpasswd file (the one that stores all of the user names and passwords) in the same directory that we are securing. This is generally a bad idea from a security standpoint, and I would encourage you to put it somewhere else in a production environment.
$ htpasswd -c .htpasswd USER_NAME
Of course, you need to replace USER_NAME with the name you want. This will then ask you for a password twice. If you want to add more users, you just need to use the same command without the -c (which means create-file). Now for every user, you need to remember to create a folder in the users folder with the same name as you just used (USER_NAME).
$ mkdir users/USER_NAME
And now the magic part... create a file named .htaccess in the passwordtest folder, and copy this text into it:
AuthUserFile /Library/WebServer/Documents/passwordtest/.htpasswd
AuthName "password test"
AuthType Basic
require valid-user

RewriteEngine on
RewriteBase /passwordtest/
RewriteCond %{REQUEST_URI} !^/passwordtest/users/
RewriteRule ^(.*) users/%{REMOTE_USER}/$1
RewriteCond %{REQUEST_URI} ^/passwordtest/users/$
RewriteRule (.*) .
The first line tells apache where to look for the password file for this direcory. The second line is the message that the users will get when their web browser asks them for the password, and the next two lines tell apache that the user has to be properly authenticated in order to use this directory. You could also put in the location of a file to send people to who do not enter in proper username/password combinations, but that is the stuff of another hint.

The second group of lines is what actually does the work of sending people to the proper folders. I would encourage people to look over the documentation on URL rewriting that is provided over on the apache site. This will help you get better aquatinted with what I am doing here, or what else can be done with this system.

You can now place any content you wish in each of the the folders, and only people with that login and password will be able to see it. As a teaser, it is possible to create more rules to have the content in the user folders mearly replace the content in the main directory, so that all of the users would see the same content, unless it was replaced for them specifically.
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)

Create protected web-access user folders via Apache | 7 comments | Create New Account
Click here to return to the 'Create protected web-access user folders via Apache' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create protected web-access user folders via Apache
Authored by: rattler14 on Oct 04, '04 11:21:25AM

Talk about odd timing. I was just updating my site to include all of the .htaccess files to protect certain sections of my site. Quick question, has anyone else had any luck using

AuthType Digest vs AuthType Basic?

Essentially, Digest is a more secure version using MD5 checksums vs just sending it "in the clear" as basic does (from what I've read). Unfortunately, Digest gives me all sorts of internal errors (much like digestion for humans ;) from the server.

Great tip though, I look forward to reading up more on the rewrite module.

[ Reply to This | # ]
Create protected web-access user folders via Apache
Authored by: macshome on Oct 04, '04 02:57:14PM

AFAIK, you need to run Mac OS X Server and use a Password Server account to be able to use the MD5 digest logins. We use this for our iCal WebDAV shares at work.

[ Reply to This | # ]
Create protected web-access user folders via Apache
Authored by: rattler14 on Oct 04, '04 05:24:42PM

hmmm, even if i installed the server-logistics apache 2.0.48 complete package (meaning I turn of websharing via system preferences and run apachectl from /Library/Apache2/htdocs/)? It seems to include the module un-commented by default.

Not a huge deal, I'm just playing around with things now. Eventually would like to use such features. I'll send an e-mail to the apache dev/support team.

[ Reply to This | # ]
Create protected web-access user folders via Apache
Authored by: cilly on Oct 04, '04 08:21:49PM

Or use weblog:


cilly @

[ Reply to This | # ]

Create protected web-access user folders via Apache
Authored by: alys on Oct 05, '04 03:45:09AM

Unless weblock has features that aren't mentioned on its (brief) web page, I think the software would only protect directories, not do the really nifty redirection of each user into his own directory that this hint does. (Very nice hint by the way, larkost!)

[ Reply to This | # ]
Create protected web-access user folders via Apache
Authored by: Fern on Oct 05, '04 03:50:16AM

thank you very much cilly.
you made my day.
that other wrap-around app as well...woah. trippy.
maybe because so many hours of my life,
i've occupied the closed rectangular universe of this screen -
i got this weird tingley feeling when i first played with it,
like the feeling of passing through a wall in a dream,
or the moment that you hit ground in a 'falling' dream.
like some rule of physics is being broken,
conflicting with your perception and expectations.
maybe its all the coffee, cigarettes, allergy medicine, lack of sleep getting to me.

[ Reply to This | # ]
Create protected web-access user folders via Apache
Authored by: cilly on Oct 27, '04 10:20:26AM

yeah, I like weblock fast and easy!


[ Reply to This | # ]