wiki:faq/security/password-protect-directory

Version 2 (modified by Jamie McClelland, 16 years ago) (diff)

--

How do I password protect a directory on my web site?

This page explains how to create folders that store files that people can only access using a username and password.

Before implementing this solution, please read about important security implications.

In this example, we have multiple translators that need to access video files they need to translate (Dan and Nancy). Both translators will have their own username and password. In addition, both translators will be able to access all protected files.

  1. Use SFTP to login to your web site. Go to <yourdomain>.org/web and create a new directory (AKA folder) called "translations". This will be the web page that you put your files onto, and that the users log onto and download the files.
  2. Use secure shell to login to your account.
  3. Create a username and password for a translator (in this example, Dan) so that he can log onto the translations page. His user name will simply be "dan". Type:
    htpasswd -c ~/yourdomain.org/include/htpasswd_translations dan
    
  4. Give Nancy a separate username to log onto the same translations page. Her username will simply be "nancy". Type:
    htpasswd ~/yourdomain.org/include/htpasswd_translations nancy
    
  5. It's a good idea to attach a user for yourself as well so you can login and make sure things are working.
    htpasswd ~/yourdomain.org/include/htpasswd_translations <my username> 
    
  6. Finally, login to your Members Control Panel, select "Web Config" from the services drop down menu. Add the following in the text field next to 'settings'. What you see that is in capital letters is what you have to insert for your own specifics outside of this example.
    <Location /translations>
     AuthType Basic         
     AuthName "username"
     AuthUserFile /home/members/GROUPNAME/sites/YOURDOMAINNAME/include/htpasswd_translations
     require valid-user                                                         
    </Location>
    
  7. Cick the submit button, wait a few seconds and then click the refresh button

Test the setup by going to http://yourdomain.org/translations.

You should be prompted for a username and password.

Enter any of the three username/password combos you created above.

How did this work?

Here's what you did in step 3: You created a htpasswd file, which is a file who's purpose is to store usernames and passwords and you adde dan's username to it.

Let's break down the command line code.

  • htpasswd (in this instance, htpasswd is a command that you run)
  • -c (this says 'make a new htpasswd file where there wasn't one before')
  • ~/yourdomain.org/include/ (this is the path where the htpasswd file will be created)
  • htpasswd_translations (This is the name of the htpasswd file. Here we've called it "htpasswd_translations" so that one can know that it's an htpasswd file, as opposed to just calling it "translations")
  • dan (this is the user name that is attached to or stored in the htpasswd file. In this case Dan's username)

Here's what you did in step 4: You attached Nancy's username to the same, existing htpasswd file that you created in step 3. It's the same line except you left our the -c.

You did the same thing in step 5 except it's your username that you added to the htpasswd file, instead of Nancy's.

Here's what you did in step 6: You linked the htpasswd file that contains Dan's and Nancy's passwords to the webpage (or folder on the server) that you created in step 1. Lets break down the code:

Here you've specified the web page called http://yourdomain.org/translations which you created in step 1.

<Location /translations> 

Here, you've chosen this htpasswd file - "htpasswd_translations" - to link to the location you chose in the first line:

/home/members/ubuntufilms/sites/yourdomain.org/include/htpasswd_translations