There are several methods for protecting web directories on an Apache web server and last week, I posted a quick tip for protecting a directory by IP address. With this quick tip today, I will review the steps to protecting a web directory with passwords. This method has its advantages and limitations, and I will review the pros and cons of using this process. This tip falls under the general Apache web server guidelines for authentication, authorization, and access control on an Apache HTTP web server.
If you would like to protect a directory and its contents from the casual web user, you can utilize the .htaccess file again to set up password protection. Note, however, that this technique is not recommended to secure very sensitive data.
Web developers who utilize this technique should adhere to their organization’s standards with regard to user authentication including login IDs and password use. The following are general recommendations on setting passwords for protected web directories:
- Passwords and user login IDs must be unique to each authorized user and must be kept private.
- Passwords should be a mix of alpha, numeric, and special characters. Names, readable words, social security numbers, etc., should not be utilized as passwords.
- Passwords should be renewed every 90 days.
Steps to password protect a web directory
Let’s say you want to password protect the following web directory: intranet/data/web/dev/formulas
The following instructions require the use of a Telnet or SSH application such as PuTTY, for example, in order to post commands to an Apache server running on Linux, Ubuntu, or a Unix operating system.
Step 1 - We will create a new sub-directory within the root web directory. In this example, in a new web sub-directory, we will name “userdir” as in intranet/data/web/userdir (NOTE: the paths used as examples may vary depending upon your Apache web server installation.), using the command:
Step 2 - Change your directory to the one you just created using the command:
Step 3 - Next, we will create the user IDs and passwords. Remember, it is best to use unique user IDs and passwords for each unique user, and if you need to password protect more than one directory, a password file will need to be created for each one. In this example, we will create a password file named “userpass” with an initial user named “JohnDoe”, on the command line. To create the file, we will utilize the htpasswd utility that comes loaded with Apache. This will be located in the bin directory of wherever you installed Apache. To create the file, type:
/server/apps/bin/htpasswd - c userpass InitialUser
Step 4 - To add a user named “JohnDoe,” type the following command:
/server/apps/bin/htpasswd - c userpass JohnDoe
The server will prompt for a password in the following form; respond with adding the password twice:
New password: mypassword
Re-type new password: mypassword
Adding password for user JohnDoe
Step 5 - You can add in additional users you wish to give access using the following commands:
/server/apps/bin/htpasswd userpass NextUser
Then, add in the next user, for example, “JaneDoe”:
/server/apps/bin/htpasswd userpass JaneDoe
The server will prompt for a password in the same form as displayed above, prompting for entering the password twice. Continue in this process until all users are added to the userpass file.
Step 6 - Set the permissions on the directory you are protecting using the numeric recodesented form to set the chmod for the protection you desire. The following commands provide varying levels of access.
If you want others in your group to be able to write to the directory, type the command:
chmod 775 intranet/data/web/dev/formulas
If you do NOT want others from your group to be able to write to the directory type:
chmod 755 intranet/data/web/dev/formulas
The Unix / Linux permissions refresher by Daniel Miessler is a great resource for brushing up on file permissions.
Step 7 - Next, we will change to the directory we are protecting, in this example, the web directory: intranet/data/web/dev/formulas. Type in the command:
We will create the .htaccess file now and save it to the protected directory. This file will tell the Apache web server to prompt for a user ID and password, and where to look for the confirmation of the authentication information. The .htaccess file can be created in the text editor of your choice. I like to use Dreamweaver, but Notepad works just as well. Insert the following code into the .htaccess file:
AuthType Basic AuthName "Secure" AuthUserFile /intranet/data/web/userdir/.htpasswd Require valid-user Order deny,allow Deny from all <Limit GET HEAD POST> Allow from all </Limit>
Save the updated .htaccess file and then add it to your protected directory, in this case, the /intranet/data/web/dev/formulas. Your directory is now password protected. Any users who browse to files in this directory will be prompted to enter a user id and password to gain access to the resources.
For an in-depth read on password-protected web directories on an Apache HTTP web server, check out the documentation “htpasswd - Manage user files for basic authentication.”