Public Pastes

Controlling directory access with an .htaccess file

By: itnetsec on Dec 1st, 2011  |  syntax: None  |  size: 2.72 KB  |  hits: 35  |  expires: Never
download  |  raw  |  embed  |  report abuse
Copied
  1. #Written by: Michael Wood
  2. #Date 12-01-2011
  3.  
  4.  
  5. A very quick and easy way to control directory access is to create an .htaccess file.  The .htaccess file contains information to require valid user credentials to access whatever directory you put your .htaccess file in.
  6.  
  7. First, we have to create the .htpasswd file.  This file contains the username and hash of the password.  Example output of the .htpasswd file would look like this:
  8. user:$apr1$ROvNIWjo$96bOcy.gSiVuMlD9jphYO.
  9. user2:$apr1$ROvNIWjo$96bOcy.gSiVuMlD9jphYO.
  10. user3:$apr1$ROvNIWjo$96bOcy.gSiVuMlD9jphYO.
  11.  
  12. To creat the file run this command:
  13. sudo htpasswd -c .htpasswd <username>
  14. It will ask you for a password.
  15.  
  16. To add users to an existing .htpasswd file:
  17. sudo htpasswd .htpasswd <username>
  18. Again, it will ask you for a password
  19.  
  20. I usually create a directory outside my document root (where my web sites are stored) called user-access
  21. So, in my case the document root is located at /data/www
  22. I will create the directory user-access in /data
  23.  
  24. Run this command:
  25. sudo mkdir /data/user-access
  26.  
  27. Ok.  Remember above when we created the .htpasswd file?  Move it to the new directory you just created /data/user-access
  28. If I had created the file in my home directory it would be something like this:
  29. sudo mv /home/user/.htpasswd /data/user-access
  30.  
  31. Now we are going to create the .htaccess file.  I want to restrict users from accessing a download directory on my server.  The directory in question is:
  32. /data/www/downloads
  33.  
  34. I'm going to change to this directory and create the .htaccess file:
  35. cd /data/www/downloads
  36.  
  37. Create the .htaccess file:
  38. sudo vi .htaccess
  39.  
  40. Here is an example of what mine looks like:
  41.  
  42. AuthUserFile /data/user-access/.htpasswd
  43. AuthName "Restricted Access - Valid User Credentials Required"
  44. AuthType Basic
  45.  
  46. Require valid-user
  47. Order allow,deny
  48. Satisfy any
  49.  
  50. The line AuthUserFile /data/user-access/.htpasswd this is telling the .htaccess file where to look for the .htpasswd file we created earlier.  It won't work if you don't set this file path correctly.
  51.  
  52. The line AuthName "Restricted Access - Valid User Credentials Required" anything wrapped in quotes can be changed to whatever you decide.
  53.  
  54. The line Requre valid-user is simply just saying it will accept any user you created with the .htpasswd file.  If you want to restrict it to just a single user, you can change that line to Require user <username>  (without brackets)
  55.  
  56. Restart Apache (this command will differ from the particular Linux distribution you have installed):
  57. sudo /etc/init.d/apache2 restart
  58.  
  59. You can use this .htaccess file to pretty much control access to any web directory now.  No need to modify anything in it, just move it to whatever directory you want to control access to.
create a new version of this paste RAW Paste Data