Password-protecting directories
From DreamHost
Contents |
Using the Control Panel
Warning: This will overwrite any .htaccess file you may already have.
- Go to the Goodies > Htaccess/WebDAV area of the control panel.
- If you have more than one domain, select the domain which contains the directory you'd like to protect.
- Click on Configure a new directory (or Set up a new directory if you already have one).
- On the next page:
- Enter the directory you'd like to protect (leave it blank to protect the entire domain.) Note that the directory must already exist.
- Enter the name you'd like to call this area (this will appear in the pop-up window asking for your password)
- Enter a list of all the valid usernames and passwords, each pair on the same line separated by a space, one pair per line, for this password-protected directory.
- Optionally, set up WebDAV and/or Link Protection.
- Click the Configure this Directory button.
- Within 10 minutes that directory on your site will be protected!
The following image shows an example of setting up a password-protected directory:
In this case, users who go to the URL http://www.example.com/private/ would receive the following login prompt:
Only people with one of the username/password combinations you specified (such as username: ringo, password: yellowsubmarine) will be able to view the directory contents.
Using .htaccess
Sometimes you might want more control over how your directories are password-protected, such as being able to assign groups access instead of individual users. Or you might already have an .htaccess file in a directory and you don't want the automatically-generated one to overwrite it. Or maybe you just abhor all those weenie control panel type of apps and like to do everything yourself. If any of the above apply to you, then good news! You can do the above procedure manually using the magic of .htaccess!
Creating a .htaccess file
Begin by creating an .htaccess file with the following (or add these lines to an existing one):
AuthType Basic AuthUserFile /home/USERNAME/.htpasswd AuthName "My Private Area" require valid-user
Replace USERNAME with your DreamHost user name, and My Private Area with a description of the directory you're protecting. Finally, upload the file to the directory you wish to protect.
Next, you'll need to add users to the password file (.htpasswd). This is done in one of two ways:
Adding users from the shell
If you have shell access, enter the following command:
/usr/bin/htpasswd -c ~/.htpasswd USERNAME
Replace USERNAME with the username of the user you wish to add (such as good ol' ringo). You'll be prompted to enter a password for the user.
Additional users can be added using almost the same command:
/usr/bin/htpasswd ~/.htpasswd USERNAME
At the end of the day, you should end up with a file called .htpasswd in your home directory, containing something that looks sort of like this:
john:nPqDiHGRF0sSw paul:zGKlu.8k8n08U george:r0sxbOD5zCWPU ringo:xVcAVoGlAvjvM
The lines each read as:
username:encryptedpassword
Creating a .htpasswd file manually
If your user is an ftp-only account, fear not! You can still participate in the wonders of .htaccess password protection. All you have to do is create a file that looks like the one above manually.
Once you've created the file, just upload it to your home directory (/home/USERNAME/). If possible, you should chmod your .htpasswd file to 640 or 644.
A Word About Passwords
Note that our systems use the traditional Unix crypt(3) function with a random 32-bit salt (only 12 bits used) and the first 8 characters of the password. This means, in essence, that only the first 8 characters of the password are significant.
See Also
External Links
- Official htpasswd documentation - Manage user files for basic authentication
- Apache .htpasswd Password Formats - Explains the available encryptions
