[HOWTO] - Password protect Apache folders

Jadey

Jadey

sosumi
This How-to will tell you how to get Apache to prompt your users for a username & password when they try and look at a directory you've secured.

As with all things Apache, start by editing the configuration file. This is in /private/etc/httpd

Launch a terminal.

Type: cd /private/etc/httpd

Type: sudo pico httpd.conf

(You can use a different text editor if you wish, other than pico).

Scroll down until you reach the AuthConfig section. It will look like this:

# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"

AllowOverride None

Change that last line to:

AllowOverride All


Save the httpd.conf file. If you're using pico, this is done by holding down control and hitting x.

Now, back in the terminal, type:

sudo htpasswd -c .htpasswd username

The username can be named what you like. For example, if you want people to be prompted for the username "friend" you would enter friend instead of username.

This command will also prompt you for the password you want to use.


Now in the terminal, type:
cd /Library/WebServer/Documents/DirectoryYouWannaSecure

Substitute "DirectoryYouWannaSecure" for the name of the folder you want people to have to type in a username & password to access. Or substitute the path to your own user's Sites directory.

In the terminal, type: sudo pico .htaccess

(again, you can use a different text editor than pico if you wish).

In the .htaccess file you just created with pico, paste this:

AuthUserFile /private/etc/httpd/.htpasswd
AuthGroupFile /dev/null
AuthName "Members Only"
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>

Save this file. Again control-x if in pico.

Restart Apache: sudo apachectl restart
(or turn it off & on with the button in your Sharing control panel)

Now when you go to http://localhost/DirectoryYouWannaSecure you'll be asked for a username & password!
 
If you've created a symbolic link to a directory not normally served by apache, but want that directory to ask for a username & password, here is how you do it! This How-to assumes you've already followed my instructions above.

First (in case you haven't created the symbolic link), bring up a terminal. Type in the terminal:

ln -s /Users/username/Music /Library/WebServer/Documents/Music

Modify first path above to the directory you actually want accessible in your web site. Modify the second path if you prefer to serve it out of your own /Users/username/Sites/Music (for example). This is the directory you'd create your .htaccess file in, as described in the first post in this thread.

Now to protect that directory:

In terminal type:

cd /private/etc/httpd

sudo pico httpd.conf

Scroll down until you see a section that reads this:

# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.

Add these lines:

<Directory "/Library/WebServer/Documents/Music">
AllowOverride AuthConfig
</Directory>

Save the file, restart apache. Now when you go to http://localhost/Music you'll be prompted for your username & password and taken into your /Users/username/Music directory through Apache!
 
Thanks jadey for another great HOW TO.

I'd just like to point out that this is a GREAT thing to do with phpMyAdmin (great configuration tool for anyone using php and MySQL).

folks, don't leave myPhpAdmin open. Its a very bad thing to do. You can easily wipe out websites who do this, and for some its just too tempting.

Also, if you password protect /check/1/ , then /check/1/two/three/bla.html is also protected.

I think its pretty sweet!

thanks jd!
 
BTW, if you just want to add to the .htpasswd file, use:
Code: 
sudo htpasswd .htpasswd [i]username[/i]
And I think you can have more than one .htpasswd file, thus creating groups!

Thanks Jadey for getting me started with all this apache password stuff! Its *very* useful!
 
what i do on my server to eleviate the need for .htpasswd and .htaccess files (for user authentication) is use thise code in the httpd.conf file (or what i like to do, include it, so it is nice and neat:

Code: 
Alias /dev "/Volumes/Contents 2/Development"

<Directory "/Volumes/Contents 2/Development/">
  Options MultiViews
  AllowOverride None
  Order allow,deny
  Allow from all

  AuthName "Development Area"
  AuthType Basic
  <Limit GET HEAD OPTIONS CONNECT POST>
    Require group staff
  </Limit>
</Directory>

this binds the authentication to the staff group. also allows for a 'psudo realm' as the OSXS Server Admin app does not like to make realms outside the main Documents folder.
 
I have been wondering about how to do this - thnx for the tutorial. I followed the instructions and all seemed to go well. When I attempted to access the directory I was protecting I got the login/password dialog - but when I entered my login/password - I got an error that authorization was req.

I stepped through the tutorial one at a time and discovered the problem. Not sure if this is common - but maybe it will help others. On my machine I did not already have /private/etc/httpd/.htpasswd file. So when I attempted to add to it - nothing was happening.

The solution was to issue the cmd in the tutorial like this instead:

sudo htpasswd -c /private/etc/httpd/.htpasswd username

this way if you don't have the file it will be created in the proper location. The "-c" option guarantees you won't overwrite a pre-existing file.

One question I have - how do I see what names/pw are in the file in the future. Obviously they are encrypted so simply viewing them with a txt editor will not work. Also - how do I delete a user in the htpasswd file?

Thx
 
You should have read the tutorial more carefully. If you look at again, it does tell you how to create this file. Specifically this part:

Originally posted by Jadey
Now, back in the terminal, type:

sudo htpasswd -c .htpasswd username
Click to expand...

This creates the .htpasswd file. The tutorial was written for not having one in the first place, as they don't come in a default Apache install.

I should point out to that the -c option guarantees you overwrite an existing .htpasswd file. If you want to add new users to an existing .htpasswd file, use the same command and drop the -c.

To answer your next question, you can open the .htpasswd file with a text editor. You'll see it in the form of:

username:encryptedpassword

If you want to delete one of the users, just delete the one line that is for them, and save the .htpasswd file.
 
I followed it step by step and no .htpasswd file was created.

Thx for the clarification on the -c option. I am definitely no nix guru - the MAN is my friend...
 
bluez, if you HAD followed it step by step, you would have gotten the .htpasswd file created. Your recommendation to include the path says to me you skipped the step in the beginning of the tutorial that says to:

In terminal type:

cd /private/etc/httpd
 
This conversation is closed - seeing as how you have become so defensive, the true meaning of sharing knowledge on this topic has diminished.
 
I certainly can't help how you interpret my postings. I was trying to make it clear so that other people who would try to follow the how-to wouldn't become confused by your missing a step. But, no need to apologize, bluehz ;)
 
I would like to remove the users freature in apache

ie http://127.0.0.1/~user

i have put password on to the main page (http://127.0.0.1) and i dont want it to allow any thing with out having to put in the password. However it bypasses the password when you go to a users homepage. So I deleted the sites folder out of my home folder and now when i type in 127.0.0.1/~user it says 404 not found. This only happens when you place a valid username in the url.

If you put an invalid username it prompts you for the password, then says 404 not found. (this is what i want it to always do).

I only want to have one website on my computer which runs from /libary/webserver/documents/

Thanks

William
 
I've been trying to get into password protection for a while (half-heartedly).
This works fine thanks.

One thing, your first post didn't work for me (just as if it wasn't protect and allowed me to the site), but your second post fixed it. In newbie terms, what was the difference?;)
 
That's crystal;)

Just one thing, why didn't the first way work on my machine, and the second did? (generally, I don't want this to turn into a support issue:D ;) )

Cheers
 
Just printing this out now!

I tried this again on my studio server at work, and the first way worked fine, so, I guess it was an error on my part late last night;)

Thanks for taking the time!
 
My Apache doesn´t like what I did to the config-file. Here is what happened:

[localhost:/private/etc/httpd] admin% sudo apachectl restart
/usr/sbin/apachectl restart: configuration broken, ignoring restart
/usr/sbin/apachectl restart: (run 'apachectl configtest' for details)
[localhost:/private/etc/httpd] admin% sudo apachectl configtest
Syntax error on line 404 of /etc/httpd/httpd.conf:
AllowOverride not allowed here
[localhost:/private/etc/httpd] admin% sudo emacs httpd.conf


Anyone who got an idea of what might me wrong?

/Essage
 
It seems to be working now.

The long story:

Accually there is no place in the httpd.conf that looks like:
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"

AllowOverride None


It looks like:
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
# AllowOverride None

I changed removed the hash before AllowOve... And changed None to AuthConfig, and after that apache wont restart. I followed all the other steps and inserted the hash again. And it seems to work.
I think it's the default setting that makes it work.
A couple of lines above:
# First, we configure the "default" to be a very restrictive set of
# permissions.
#
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

Isn't it?


Is insecure in some way haveing it this way?


Another question about this:
The user I created, has it access to all directories I password-protect? I just want it to ohave access to a specific directory, and want to be able to password-protect other directories that the user doesn't have access to.

/Essage
 
Ok. I replaced my httpd.conf-file with the default one.

Now that part works as it should, but one new issue appeard.

When i run configtest I get this message:

[alert] httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Syntax OK


I'm using the IP 192.168.0.2. It worked before replacing the file, and i didn't get this message before.
I have tried to set the ServerName to 192.168.0.2, but it isn't working.

Before i started to mess with the httpd-file the first time, I used serveradmin to set up a website. it was named 192.168.0.2 and the ip was 192.168.0.2. It worked perfectly.
But if I do that now, when i try to connect to the server and gets the response from the server it just tries to connect again and again...
 
I am already forwarding port 80 on my public IP to 192.168.0.2. Shall I set the ServerName to 192.168.0.2 also?
 
Thanks!

It works now.

One issue still stands. When I'm accessing adresses from the local area network and don't type the last slash, like "http://192.168.0.2/directory", I'm getting: "the connection was refused when attempting to contact 127.0.0.1".

It works if I type:
"http://192.168.0.2/directory/"

/Essage
 
You must log in or register to reply here.
Back
Top