Web Access Control Guide

The .htaccess File

Restricted Directories

Adding Users

For More Information

 


The .htaccess File

Access restrictions are controlled by a file called ".htaccess" located in the user's Web directory.

The ".htaccess" file consists of sets of directives that control the server, surrounded by <Files> tag. The syntax is as follows:

 

<Files *>
... directives ...
</Files>

 

This .htaccess file applies the directives to the directory and subdirectories it is placed in. If you need different directives in specific directories, you will need to create a separate .htaccess file and place it in that directory.

The "*" (asterisk) in the <Files> tag indicates that these directives apply to all subdirectories in the directory. For example, if you want certain directives to apply to one directory but more specific or additional directives in another directory, you will need to create another .htaccess file with these directives. If you do not want the directives to apply to all subdirectories remove the "*" in the <Files> tag.

 


Restricted Directories

Setting up directories with restricted access can be done through ".htaccess". The files allow you to set the location of the username/password file, customize the title of the pop-up window visible to the user on login and specify the users or groups who have access to the directory.

The first step is to set up a username/password file outside of your public_html directory in a directory called "webguest" with a file called ".htpasswd".

 

Setup the webguest directory

Log into your account using SSH and follow these steps.

 

Note: the "account" below should be replaced with your account name and "online" indicates the server name. In this case, we're logged into online.sfsu.edu, but the same instructions apply to directories on www.sfsu.edu:

 

[account@online ~]$ cd

[account@online ~]$ mkdir webguest

[account@online ~]$ chmod go+rx webguest

[account@online ~]$ cd webguest

 

Setup the username/password file

After setting up the "webguest" directory, follow these steps to create the username/password file. In this example, the username is called "student":

 

[account@online ~]$ htpasswd -c .htpasswd student

[account@online ~]$ New password:

[account@online ~]$ Re-type new password:

[account@online ~]$ Adding password for user student

 

The '-c' command stands for 'create' and will create the username/password file. If you have more users and would like to add them to the username/password file leave the '-c' command out.

 

[account@online ~]$ htpasswd .htpasswd student2

 


Adding Users

Now that the passwords have been set up, there are two things yet to be done. First we need to make the restricted directory, and second we need to create the .htaccess file in that directory so that the server will recognize the restricted directory.

Now put the following directives into the file, but keep in mind the bold entries are custom settings.

Adjust "account" and any other filenames to your own preference, as long the path to your .htpasswd file is correct. (To find out what the exact path is, cd to the directory where the file is located and type the command 'pwd').

 

Create the restricted directory and .htaccess file

[account@online ~]$ cd

[account@online ~]$ cd public_html

[account@online ~]$ mkdir restrict

[account@online ~]$ cd restrict

[account@online ~]$ vi .htaccess

<Files *>
AuthUserFile /online/account/webguest/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require valid-user
</Files>

 

AuthName is a directive to customize the name that is shown in the pop-up window which asks for the password when someone accesses the directory.

When you're done, type :wq then press ENTER to save your changes and exit vi.

 

Test the password protected directory

To test if the directory is correctly password protected, open a browser and visit the URL of the restricted directory, for example: http://online.sfsu.edu/account/restrict/ where "account" is the name of your account on online.sfsu.edu. It should prompt you for a username and password before you can enter the directory.

 

 


For More Information

Apache Documentation on .htaccess files
HTAccess Editor