wiki:faq/security/password-protect-directory

Version 7 (modified by Jamie McClelland, 10 years ago) (diff)

--

How do I password protect a directory on my web site?

This page explains how to create folders that store files that people can only access using a username and password.

Before implementing this solution, please read about important security implications.

In this example, we have multiple translators that need to access video files they need to translate (Dan and Nancy). Both translators will have their own username and password. In addition, both translators will be able to access all protected files.

  1. If you already have a folder in place (or if you are protecting your entire web site) you can skip this step. On the other hand, if you only want to protect a single folder and you haven't create it yet: Use SFTP to login to your web site. Go to YOUR-DOMAIN-NAME/web and create a new directory (AKA folder). This will be the folder that you put your files onto, and that the users log onto and download the files.
  2. Next, use secure shell to login to your account.
  3. Create a username and password (in this example, the username is dan) so that he can access the protected directory. His user name will simply be "dan". Type the following (you will be prompted to create a password after you type each command):
    htpasswd -c ~/YOUR-DOMAIN-NAME/include/htpasswd dan
    
  4. Optionally, give Nancy a separate username to log onto the same directory. Her username will simply be "nancy". Type:
    htpasswd ~/YOUR-DOMAIN-NAME/include/htpasswd nancy
    
  5. It's a good idea to attach a user for yourself as well so you can login and make sure things are working.
    htpasswd ~/YOUR-DOMAIN-NAME/include/htpasswd YOUR-USERNAME 
    
  6. Finally, login to the Members Control Panel, select "Web Config" from the services drop down menu. Add the following in the text field next to 'settings'. What you see that is in capital letters is what you have to insert for your own specifics outside of this example. If you are protecting your entire web site, just enter a forward slash (/) in the Location part.
    <Location /FOLDER-TO-PROTECT>
     AuthType Basic         
     AuthName "username"
     AuthUserFile /home/members/GROUPNAME/sites/YOUR-DOMAIN-NAME/include/htpasswd
     require valid-user                                                         
    </Location>
    
  7. Cick the submit button, wait a few seconds and then click the refresh button

Now, when you go to the directory via a web page, you should be prompted for a username and password.

Enter any of the three username/password combos you created above.

How did this work?

Here's what you did in step 3: You created a htpasswd file, which is a file whose purpose is to store usernames and passwords and you adde dan's username to it.

Let's break down the command line code.

  • htpasswd (in this instance, htpasswd is a command that you run)
  • -c (this says 'make a new htpasswd file where there wasn't one before')
  • ~/yourdomain.org/include/ (this is the path where the htpasswd file will be created)
  • htpasswd_translations (This is the name of the htpasswd file. Here we've called it "htpasswd_translations" so that one can know that it's an htpasswd file, as opposed to just calling it "translations")
  • dan (this is the user name that is attached to or stored in the htpasswd file. In this case Dan's username)

Here's what you did in step 4: You attached Nancy's username to the same, existing htpasswd file that you created in step 3. It's the same line except you left our the -c.

You did the same thing in step 5 except it's your username that you added to the htpasswd file, instead of Nancy's.

Here's what you did in step 6: You linked the htpasswd file that contains Dan's and Nancy's passwords to the webpage (or folder on the server) that you created in step 1. Lets break down the code:

Here you've specified the web page called http://yourdomain.org/translations which you created in step 1.

<Location /translations> 

Here, you've chosen this htpasswd file - "htpasswd_translations" - to link to the location you chose in the first line:

/home/members/ubuntufilms/sites/yourdomain.org/include/htpasswd_translations