- Author: Daniel Hemmerich [zartik]
- Date: December 26, 2000
- File Information: Avaliable at www.bsdpro.com and www.defcon1.org, e-mail author for permission to copy.
- Purpose: How to effectively use htaccess to help secure your web site's private sections.

To start, we need to create our user file. This is done with the htpasswd program which is provided with the apache distribution. Since we are just creating this user file, we need to use the -c flag. We will put the user file in /home/dan/users and we will be adding the user joe. We will then add a second user, sam. If we used the -c flag on the second user addition, it would erase our joe entry.

$ htpasswd -c /home/dan/users joe
$ htpasswd /home/dan/users sam

Now let us make the .htaccess file. Let's say you want to prevent people from viewing the directory (and it's subdirectories) /home/dan/web/private (URL http://www.danswebsiteforthishowto.com/private). You need to create and edit the file: /home/dan/web/private/.htaccess and put the following in it:

AuthName "put the name of your private area in here, must be a differant name than any other private area on your site"
AuthType Basic
AuthUserFile /home/dan/users
require valid-user

Just for a note, if you wanted to let joe in, but not sam, you could replace require valid-user with:

require user joe

You are going to need in your apache configuration file the following lines, the first is just to tell the server our file name for access will be .htaccess, and the second is to prevent on all sites the ability to view the file, because that would be an obvious security risk.

AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

If you want your apache server to enable .htaccess, you must put in the <Directory /> directive: AllowOverride AuthConfig.

Also, if you have any questions, would like to make any comments, or just have some general input, please contact me at the e-mail address listed above in the Author field.