Today I’ve been struggling with .htaccess and .htpasswd in order to password-protect a directory on a site I’ve been working on.
I always find that when I Google for help I get sites that kind of help but not 100% so here’s my problem and solution.
The Problem
I have an admin area that needs protecting and HTTP-authorisation is the most secure; this needs .htaccess and .htpasswd files to be setup accordingly. I created .htaccess with the values:
AuthType Basic AuthName "Authenticated Users only" AuthUserFile /var/www/html/folder/subfolder/.htpasswd require valid-user
Then I needed to create the .htpasswd file and every website I found through google told me I needed to telnet/ssh into my web account and type some commands. I don’t have the option to do that so, I had to create the .htpasswd file as a text file on my pc then upload it via FTP. After much deliberating and googling I found ahtpasswd password encryption tool. Just type in what you want as the username and password and it will convert it to unix encoding then just copy the text into a text file and save as .htpasswd, upload both to your server and voila.
FTP woes
When I looked at the files on my FTP server just after uploading I could see them them, but if I disconnected and reconnected just a few minutes later. However my technician informed me
by default unix hides files starting with a
.you need to usels -lato see them
The other quickly resolved problem revolved around the fact that by default .htaccess is disabled in apache, but the technician re-enabled it and all was fine.
Update (17/09/2005)
It’s probably best you place the .htpasswd file somewhere away from the main site directory e.g. somewhere a hacker can’t just type in www.yoursite.com/directory/.htpasswd and get your passwords! The example I’ve used of /var/www/html/folder/subfolder/.htpasswd shouldn’t be copied and is very insecure. A much better solution would be /var/.htpasswd.
You should also setup Apache so it doesn’t allow people to see your .htaccess nor .htpasswd files.