htaccess tutorial
by DJG, djg@linuxhelp.net
Created on November 29th, 1999.
Last updated on December 19th, 1999.

htaccess is a way to password protect directories. It can also be used to give user or group specific access to directories. This guide will tell you how to setup apache for htaccess and to set up basic protection. Let's begin.

First, I assume you have Apache installed. If you don't, get the rpm, deb, or tarball, etc...

Now, you'll have to know what directory you want to be able to use htaccess. Let's say that you want to be able to use it in the /var/www directory.

In your apache config file, access.conf, (Mine is located in /etc/apache/access.conf, locations may vary. Try locate access.conf). Please note that in some cases when installing Apache 1.3.9 from the tarball, all the config files will be combined into one file called httpd.conf. Open up access.conf or httpd.conf and find the lines that look like the following:

<Directory /var/www>

Options Indexes FollowSymLinks

AllowOverride None

order allow,deny
allow from all

</Directory>

Note: This is machine specific. I am working from a default Debian Apache install. In order to use htaccess, you'll need to change the line

AllowOverride None

to

AllowOverride AuthConfig

If you have a different options in the AllowOverride line, but not AuthConfig, add it, if you have "All" then you won't need it.

Now restart apache for the changes to take effect.

I use /etc/init.d/apache restart for that, Red Hat Linux users may use /etc/rc.d/init.d/httpd restart. Just look around your system. Also, killall -HUP httpd will restart the server.

Now that the directory and its subdirectories are htaccess enabled, you'll need to setup the actual files.

Create a file in the dir you want to protect called .htaccess

Here's an example .htaccess file:

AuthUserFile /var/www/.htpasswd
AuthGroupFile /www.null
AuthName "Authorization Required"
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>

AuthUserFile is the path to the password file which we will create in a minute.

AuthGroupFile is the path to the group password file, for simple user protection, this is not needed, so simply send the requests for it to /www.null

AuthName Is a message to appear, I just used Authorization Required. Change it to what you'd like.

AuthType Just set this to Basic

Now, inside the <Limit> tag, you have who is allowed to have access to the page. valid-user represents any valid user in the password file, you could specify a user, changing the line to:

require user djg

Now that .htaccess is set up, you'll need to create the password file. To do this, use the program htpasswd.

To create an initial .htpasswd file, use the -c tag.

The syntax is: htpasswd passwordfilename user (add -c if you're creating the file)

So, we would use:

htpasswd -c /var/www/.htpasswd djg

It would then prompt me for a password.

To create new users in the same file, simply drop the -c.

htpasswd /var/www/.htpasswd anotherusername

When running htpasswd it will ask you for that username's password. Now, everything should be set up, and your directory should be protected.