Access control with .htaccess and .htpasswd

Your site, or parts of it, may not be intended for the eyes of the general populace. You can limit access only to parties with usernames and passwords (provided by you) by using .htaccess, a basic security function built into the HTTP protocol.

The .htaccess file must be placed in the directory you want protected. It must contain the following:

For a single-user account:


AuthUserFile /htdocs/userdirs/[$USERNAME]/.htpasswd
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
require valid-user

and for a Corporate account:


AuthUserFile /htdocs/corp-dirs/[$USERNAME]/[$DOMAIN]/.htpasswd
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
require valid-user

The above example places the .htpasswd file in the root directory of your website. Naturally, you can place it anywhere you choose in your directory structure.

.htpasswd is where you will place the list of authorized usernames and passwords. The format is as follows:


username1:password1
username2:password2
...

Passwords are in an encrypted form. Use the command htpasswd to create them (Usage: htpasswd [-c] passwordfile username; The -c flag creates a new file).

Both files must be set via chmod to 755.

You might also want to customize the response given to an unauthorized access attempt ("401: Unauthorized"). The following line is an example of what you can add to .htaccess:

ErrorDocument 401 http://www.whatever.com/401.html

This will direct unauthorized requests to the file "401.html" (assumed to be in your root directory in the above example), which can contain forbidding graphics, pithy sayings, or anything else you decide will inform the viewer that the page is restricted.

This can, of course, be done for any of the error codes ("404: Not found" and "403: Forbidden" for example).

Return to Web FAQ