Restricted Web Access with HTaccess

Note: It is important to create and save these files with an editor that will save using proper UNIX line-end and to remove any additional white space. Recommended editors are vi (will make this most apparent), emacs, nano and Adobe Dreamweaver.

 What is Restricted Access and HTaccess?

Access is having restrictions on who is able to access a certain directory in a site. Using HTaccess is one way to restrict access and it utilizes three methods to do so:

1. Username/password level access authorization. This method requires a user to enter a valid username and password to access a certain web page.

2. Rejection or acceptance of connections based on Internet address, hostname or domain name of the Web client.

3. The combination of 1 and 2.

* Note: None of these methods are foolproof.

 

Creating HTaccess for Single and Multi Users

 Single User Access

1. Create a file called .htaccess (the dot is required), in the directory Personal, with the following format:

AuthUserFile fullpathname/.htpasswd AuthGroupFile /dev/null AuthName "AnyNameYouWant" AuthType Basic <Limit GET POST> require user mysecret </Limit>

  • AuthUserFile-- Replace fullpathname with the full path name of the directory in which the password file (which will be created after this) resides. To find out the full path name of a certain directory, type pwd at the prompt.
  • AuthGroup File--For a single user access, a .htgroup file does not exist. So, we specify /dev/null which is the standard UNIX way to say this file does not exist.
  • AuthName-- This can be anything. It will be displayed on the browser when the password is prompted. If nothing is entered, it will default as ByPassword. The name(s) must be between double quotes.
  • AuthType-- This should be set to Basic, since we are using Basic HTTP Authentication. This means that the password is passed over the network not encrypted but not as plain text either.
  • In the LIMIT directive, only the method GET is restricted in this example. Other methods (especially in CGI directories) can also be limited by specified by putting a space between each of them. For example: <Limit GET POST PUT> require user mysecret </Limit>

2. After creating the .htaccess file, create a .htpasswd file by typing htpasswd -c .htpasswd mysecret in the restricted directory or in this case in the Personal directory.

3. After typing this command there should be instructions that require you to type in the password for the user twice. In this example, we will type in dontell twice. If you open up the file, it should look something like this:

mysecret:vlCg6/UxAqH9M

4. Now change the permissions of the files that you just created so that the world can read it (necessary to have it working) by typing the following commands:

chmod 744 .htaccess
chmod 744 .htpasswd

 

Below are instruction on how-to restrict access in a directory named Personal to a single user with a username mysecret and password dontell.

Example .htaccess

AuthUserFile /web/decs/web/single/.htpasswd
AuthGroupFile /dev/null
AuthName Single_User
AuthType Basic

<Limit GET>
require user mysecret
</Limit>

Example .htpasswd

mysecret:EQbTKu5OI7p5I

 

 Multiple Users Access

1. Add additional users to the .htpasswd file.

  • Use the htpasswd command again but this time without the -c flag. For example you want to add tom, dick and harry to the list of people accessing that directory. Just type the following command at the prompt:

htpasswd fullpathname/.htpasswd tom
htpasswd fullpathname/.htpasswd dick
htpasswd fullpathname/.htpasswd harry

fullpathname is just the full path name of the directory in which the .htpasswd file is in. If you are already in that directory, fullpathname is not required.

*You can have different passwords for each member of the group or just one password for all the members.

 

2. Create a group file called .htgroup (remember the dot).The .htgroup should look something like this:

my-users : tom dick harry

Where tom, dick and harry are the people to whom you want to give access. You can replace my-users with any name you like for a group.

 

3. Then, modify your .htaccess file. Below is an example of a .htaccess file for a group.

AuthUserFile fullpathname/.htpasswd AuthGroupFile fullpathname/.htgroup AuthName AnyNameYouWant AuthType Basic <Limit GET> require group my-user
</Limit GET>

  • AuthGroupFile--This should be the full path name of your .htgroup file
  • Change user mysecret to group my-user (any the name of your group) so that only people in that specific group can gain access.
  •  

4. Don't forget to change the permissions to 744.

 

The way to have multiple username/password pairs is the same as having a single username/password pair, but  with just a few additional steps.
Do the following extra steps:

Example .htgroup

mybuddy: tom dick harry

Example .htaccess

AuthUserFile /web/decs/web/multiple/.htpasswd
AuthGroupFile /web/decs/web/multiple/.htgroup
AuthName Multiple_User
AuthType Basic

<Limit GET>
require group mybuddy
</Limit>

 

Domain Name Access

Besides providing access to only single or multiple users, you can also give access to clients from a certain domain, e.g.. egr.msu.edu. This is an example of how the .htaccess should look like:

AuthUserFile /dev/null AuthGroupFile /dev/null AuthName
AllowFromEgrMsuOnly AuthType Basic <Limit GET> order deny, allow deny from all allow from 35.9 </Limit>

Example .htaccess

AuthUserFile /web/decs/web/single/.htpasswd
AuthGroupFile /dev/null
AuthName Single_User
AuthType Basic

<Limit GET>
require user mysecret
</Limit>

 

Domain Name Access - Exclusion

You may just want to exclude clients from one domain. Then, the .htaccess file would look like this:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName
DenyFromEgrMsuOnly AuthType Basic <Limit GET> order allow, deny allow from all deny from 35.9 </Limit>

Example .htaccess

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName DenyFromEgrMsuOnly
AuthType Basic

<Limit GET>
order allow,deny
allow from all
deny from 35.9
</Limit>

 

Combinational Access

To get a combination of the three kinds of access methods, the .htaccess should look something like this:

AuthUserFile fullpathname/.htpasswd AuthGroupFile
fullpathname/.htgroup AuthName AnyAccess AuthType Basic order deny, allow deny from all allow from egr.msu.edu require group mybuddy satisfy any

Use satisfy all to restrict access by domain/addresses AND passwords.