[HOWTO] - Password protect Apache folders

[Jadey]

This How-to will tell you how to get Apache to prompt your users for a username & password when they try and look at a directory you've secured.

As with all things Apache, start by editing the configuration file. This is in /private/etc/httpd

Launch a terminal.

Type: cd /private/etc/httpd

Type: sudo pico httpd.conf

(You can use a different text editor if you wish, other than pico).

Scroll down until you reach the AuthConfig section. It will look like this:

# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"

AllowOverride None

Change that last line to:

AllowOverride All


Save the httpd.conf file. If you're using pico, this is done by holding down control and hitting x.

Now, back in the terminal, type:

sudo htpasswd -c .htpasswd username

The username can be named what you like. For example, if you want people to be prompted for the username "friend" you would enter friend instead of username.

This command will also prompt you for the password you want to use.


Now in the terminal, type:
cd /Library/WebServer/Documents/DirectoryYouWannaSecure

Substitute "DirectoryYouWannaSecure" for the name of the folder you want people to have to type in a username & password to access. Or substitute the path to your own user's Sites directory.

In the terminal, type: sudo pico .htaccess

(again, you can use a different text editor than pico if you wish).

In the .htaccess file you just created with pico, paste this:

AuthUserFile /private/etc/httpd/.htpasswd
AuthGroupFile /dev/null
AuthName "Members Only"
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>

Save this file. Again control-x if in pico.

Restart Apache: sudo apachectl restart
(or turn it off & on with the button in your Sharing control panel)

Now when you go to http://localhost/DirectoryYouWannaSecure you'll be asked for a username & password!

[Jadey]

If you've created a symbolic link to a directory not normally served by apache, but want that directory to ask for a username & password, here is how you do it! This How-to assumes you've already followed my instructions above.

First (in case you haven't created the symbolic link), bring up a terminal. Type in the terminal:

ln -s /Users/username/Music /Library/WebServer/Documents/Music

Modify first path above to the directory you actually want accessible in your web site. Modify the second path if you prefer to serve it out of your own /Users/username/Sites/Music (for example). This is the directory you'd create your .htaccess file in, as described in the first post in this thread.

Now to protect that directory:

In terminal type:

cd /private/etc/httpd

sudo pico httpd.conf

Scroll down until you see a section that reads this:

# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.

Add these lines:

<Directory "/Library/WebServer/Documents/Music">
AllowOverride AuthConfig
</Directory>

Save the file, restart apache. Now when you go to http://localhost/Music you'll be prompted for your username & password and taken into your /Users/username/Music directory through Apache!

[kilowatt]

Thanks jadey for another great HOW TO.

I'd just like to point out that this is a GREAT thing to do with phpMyAdmin (great configuration tool for anyone using php and MySQL).

folks, don't leave myPhpAdmin open. Its a very bad thing to do. You can easily wipe out websites who do this, and for some its just too tempting.

Also, if you password protect /check/1/ , then /check/1/two/three/bla.html is also protected.

I think its pretty sweet!

thanks jd!

[kilowatt]

BTW, if you just want to add to the .htpasswd file, use:

Code:

sudo htpasswd .htpasswd username

And I think you can have more than one .htpasswd file, thus creating groups!

Thanks Jadey for getting me started with all this apache password stuff! Its *very* useful!

[meancode]

what i do on my server to eleviate the need for .htpasswd and .htaccess files (for user authentication) is use thise code in the httpd.conf file (or what i like to do, include it, so it is nice and neat:

Code:

Alias /dev "/Volumes/Contents 2/Development"

<Directory "/Volumes/Contents 2/Development/">
  Options MultiViews
  AllowOverride None
  Order allow,deny
  Allow from all

  AuthName "Development Area"
  AuthType Basic
  <Limit GET HEAD OPTIONS CONNECT POST>
    Require group staff
  </Limit>
</Directory>

this binds the authentication to the staff group. also allows for a 'psudo realm' as the OSXS Server Admin app does not like to make realms outside the main Documents folder.

[bluehz]

I have been wondering about how to do this - thnx for the tutorial. I followed the instructions and all seemed to go well. When I attempted to access the directory I was protecting I got the login/password dialog - but when I entered my login/password - I got an error that authorization was req.

I stepped through the tutorial one at a time and discovered the problem. Not sure if this is common - but maybe it will help others. On my machine I did not already have /private/etc/httpd/.htpasswd file. So when I attempted to add to it - nothing was happening.

The solution was to issue the cmd in the tutorial like this instead:

sudo htpasswd -c /private/etc/httpd/.htpasswd username

this way if you don't have the file it will be created in the proper location. The "-c" option guarantees you won't overwrite a pre-existing file.

One question I have - how do I see what names/pw are in the file in the future. Obviously they are encrypted so simply viewing them with a txt editor will not work. Also - how do I delete a user in the htpasswd file?

Thx

[Jadey]

You should have read the tutorial more carefully. If you look at again, it does tell you how to create this file. Specifically this part:

Originally posted by Jadey
Now, back in the terminal, type:

sudo htpasswd -c .htpasswd username

This creates the .htpasswd file. The tutorial was written for not having one in the first place, as they don't come in a default Apache install.

I should point out to that the -c option guarantees you overwrite an existing .htpasswd file. If you want to add new users to an existing .htpasswd file, use the same command and drop the -c.

To answer your next question, you can open the .htpasswd file with a text editor. You'll see it in the form of:

username:encryptedpassword

If you want to delete one of the users, just delete the one line that is for them, and save the .htpasswd file.

[bluehz]

I followed it step by step and no .htpasswd file was created.

Thx for the clarification on the -c option. I am definitely no nix guru - the MAN is my friend...