.htaccess files

This page describes how to use the .htaccess file to password protect webpages.

So what is a .htaccess file? .htaccess is an Apache configuration file that allows users, generally those without access to the main server configuration file, to change the way Apache behaves with regard to a specific directory. While .htaccess can perform a variety of different tasks, this page will be focusing on how it can be used to password protect webpages.

IMPORTANT: The .htaccess file’s presence in a directory protects the ENTIRE directory, not just individual files. Thus, unless you specifically want your entire web directory inaccessable to those without a passord, do not put a .htaccess file inside the /.www folder in your home directory.

To get started, SSH into your CS account and run the following command to (1) generate new a file containing a list of authorized usernames and passwords and (2) add a new user:

cd ; htpasswd -c .passwd <USERNAME>

<USERNAME> can be any name you want – it doesn’t have to be the same as your UNET or CS account username. However, you will need to remember it to login to your website. If you want to store .passwd elsewhere, be sure to place it outside of your /.www directory. This way, it can’t be downloaded by your website’s visitors. Next, enter a password. While we use a pretty secure way of encrypting the passwords, it’s probably NOT a good idea to use your system password. Verify your password, hit return, and boom! You’ve generated a new username and password combination you can use to access your site.

Next, create a text file named .htaccess in whichever directory in ~/.www you want to password protect. This is the format for a basic .htaccess file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile "<PATH_TO_HOME_DIRECTORY>/.passwd"
Require valid-user

To give an example of what <PATH_TO_HOME_DIRECTORY> might look like, for a student it might be /home/u/fall19/jhoward.

The most important part of the .htaccess file, for our purposes, is the AuthUserFile directive. This tells the browser where the password file is located. This, of course, means that the file has to be world readable so that the browser can read it. The path specified in the AuthUserFile directive MUST be a full, valid UNIX path specifying the location of the password file.

At this point, you’re all set! To add other users, use htpasswd again, this time without the -c flag. To remove users from the list, open the .passwd file and delete the line containing their username. After logging into the site, whichever username and password combination you used will be cached with your browser so you don’t have to reenter your credentials. To log in as a new user, or to prevent people using your browser from accessing your site after you, clear your browser’s cache.

For a more comprehensive explanation of .htaccess’s authentication capabilities, please refer to the Apache documentation. If you have any questions, feel free to contact us.

Last Revised: 2020-06-01