Limiting user access to a web page

The webserver we use here at is Apache , which is a very powerful and complex server, providing many useful features.  Most of these festures must be configured at the system level, and users needn't worry about them.  There are several things that can be set up on a per-user basis, however.

One of those things is security.  For any particular set of web pages, a list of users may be defined, and those users given passwords.  If someone does not have a user name and matching password, they are unable to see the page.

This is not the most secure mechanism imaginable.  The passwords are sent over the Internet as plain, unencrypted text, and may be intercepted between the user and  While stored on, they use an old-fashoned and relatively easily broken storage mechanism.  If the pages in question require very secure access, this is not an appropriate mechanism.  However, for many things, it will more than suffice.

Setting it up

In the directory that is intended to be secure, you must create two files, .htaccess and .htpassword.htaccess is responsible for enabling security, and .htpassword defines who can get there.

The .htaccess file

.htaccess needs to contain the following lines:
AuthName "Area Name"
AuthType Basic
AuthUserFile /path/to/directory/.htpassword
require valid-user
The AuthName defines a name for this secure area.  Any page with the same name defined will only ask for passwords once per session, so multiple pages can use the same passwords and not be asking the user constantly.  That name will also be shown in the user's browser when they are asked for a password.

AuthType sets the type of authentication to the kind we use.

AuthUserFile lists the complete path to the .htpassword file to be checked for passwords.  This can be anywhere in your home directories, really, and different places can point to the same one, so you can have several directories that use the same set of users and passwords.  For the user directories on rdwarf, paths look something like /home/username/public_html/whatever.

require valid-user means that to display the page, they  must have a valid username and password.

The .htpassword file

There is a tool to create the .htpassword file, called htpasswd.  Telnet in to and run it from there.  It will manage the .htpassword files for you.

To create a new .htpassword file and put a user in it, use the command:

htpasswd -c .htpassword user
htpasswd will then prompt you twice for that users's password.

To add a user's password to an existing .htpassword file, leave out the -c, which means "create".

htpasswd .htpassword anotheruser
To remove a user is a little trickier.  You need to edit the .htpassword file, and take out the line that begins with the user's name.


Editing files

To edit a file on rdwarf, use the pico editor.  Telnet in to rdwarf, and cd to the directory with the file you want to edit in it, and type:
pico filename
The editor will come up on your screen.  Your arrow keys should move the cursor around.  Control-K will delete (kill) an entire line, and control-X will eXit the editor, and ask if you want to save first.  There's a few useful keys displayed on the screen, and Control-G will "Get help".

Working with oddly named files

To store the .htpassword and/or .htaccess files on a Windows computer, you'll have to call them something that dosen't start with a dot, and rename them when you get them to holly.

Renaming files

From Telnet, you can rename a file with the mv (move) command:
mv oldname newname

Text files from Windows

MS-DOS and Windows store text files a little differently than Unix.  If things are being strange, you might try making sure it's a Unix text file, not a Windows one.  Most things on the Web don't care, but .htpassword, .htaccess, and script files tend to.
To convert a file from a Windows text file to a Unix one, use the command:
dos2unix filename
To go back to a Windows file, so you can cope with it under Windows, use the command:
unix2dos filename

Getting help

If there's something vague or unclear in here, please don't hesitate to ask me for help.