Welcome to WebmasterWorld Guest from 18.207.132.114

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Using .htpasswd with .htaccess

Some elementary questions on password protecting a directory

     
6:55 am on Nov 11, 2003 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:12411
votes: 416


This is a follow up question from this thread in the robots.txt forum, where it was rightly suggested that blocking a .log file with robots.txt not only isn't enough, but that it might backfire:

[webmasterworld.com...]

It was suggested that the .log file belongs in a password protected directory.

Servers are not my strong suit, but I don't want the hosting company meddling with my .htaccess file... they're notoriously sloppy... so once again I find myself at the bottom of a steep learning curve.

I've done a bunch of reading and now have several ridiculously elementary questions. I'm including all the details, because they might be helpful to others.

First, one suggestion I found on the board, a route I would take if I were managing a bunch of usernames and passwords, would be to use the TechnoTrade .htaccess password protector manager. For $49, installed, it seems to be a bargain.

For one username/password, though, I'm thinking that editing my .htaccess myself and adding an .htpasswd file would work.

I don't know how to use the Apache command line remotely, which I gather is one way to generate the encrypted .htpasswd file.

There are also a number of tools I found online to encrypt the password. Again, recommended on the board was the Kelv.net Kelvs .htaccess/.htpasswd Generator. I understand that not all of these tools are compatible with all versions of Apache, but this one at least seems up to date.

It generates code for both .htaccess and for .htpasswd. For .htpasswd, it generates encrypted username and password ASCII text to paste into the .htpasswd file... something like:

username:$1$GbVNsemq$Y6tDpZnQOzc5ENnnkt/GK0

Am I correct in assuming that .htpasswd is simply an ASCII txt file, like .htaccess, to be installed within the directory that I am protecting?

I gather I also need to add the following to .htaccess....

AuthType Basic
AuthUserFile [mydomain.com...]
AuthName "Stats"
require valid-user

Some posts in the forums suggest also adding...

AuthGroupFile /dev/null

...and some say it's not necessary.

Anything else I need to know in terms of basic server settings, things I should be requesting from the host? Any concern about any of this with other parts of my precious .htaccess, like where in the file it should go?

8:36 am on Nov 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


I cant give you all the crazy techno stuff, just what worked for me.

Two files

.htaccess and .htpasswd

In the htaccess I have the following lines:

AuthUserFile /www/vhtdocs/yourdomain.com/.htpasswd
AuthName "Please Log On"
AuthType Basic
require valid-user

Then you need the file that the above top line references and contains

yourusername:anenctyptedbit

There are lots of public encrypters out there. If I can I only put in the password or failing that use a username on 1 or something simple. I dont want to actually use the correct combination.

Both of the above files are ascii easility created in notepad and then just upload then. If you want to see them again (they appear not to be there sometimes) then in your ftp client there will be a blank space, type in there "-la" and press enter and they appear, so at least if you balls up your stuff you are not locked down "forever" :)

You can create htaccess files which can sit in any folder which if I am correct overides the previos level so you can have a tiered set of directives.

HTH a bit

7:27 am on Nov 12, 2003 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:12411
votes: 416


You can create htaccess files which can sit in any folder which if I am correct overides the previos level so you can have a tiered set of directives.

Thanks... I assume this means that I can put .htpasswd and an .htaccess with with Auth info only into mydomain.com/private/, and not be worried that it will mess up the .htaccess in my root. Sounds easy.

Can anyone tell me whether I should or shouldn't use:

AuthGroupFile /dev/null

8:34 am on Nov 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 6, 2001
posts:2213
votes: 0


RC

That is correct.