Recent Changes - Search:


edit SideBar

HTTPAuthenticationSetup Qdig : Tips / Http Auth Guide

HTTP Authentication Setup - A Quick-Step Guide


This document started out as some text notes from when I first tracked down a simple way to configure HTTP Authentication. For some reason, simple instructions were not easy to find -- at least not when I went looking (Admittedly that was quite some time ago).

The first public version of this document was a Qdig Help forum posting. (The original version is more specific to securing Qdig's admin.php script.) Hopefully this will save you some time. If you think this guide can be improved, let me know.

These are just quick and simple instructions. Consult the Apache Manual (1.3, 2.0) and the PHP Manual if you need more detailed information.

Simple HTTP-Auth Setup

Use the following steps to password-protect a directory and all of its subdirectories using HTTP authentication (.htaccess / .htgroups / .htpasswd). You can also protect individual files in a directory -- see below.

Step 1) Create a .htaccess file:

The special file .htaccess is a text file that contains per-directory "configuration directives" for a directory and all subdirectories in the tree below it. This document is about directives for access control to files, but there are directives for other purposes as well. Most people probably won't have a .htaccess file to start with. If one exists, you can add lines that one.

Note: It's possible your server's configuration may need to be adjusted in order for your .htaccess directives to take effect in the directory.

In the directory you want to protect (for this example we'll assume this will be the /home/someuser/public_html/somdirectory/ directory), create a text file called .htaccess with contents similar to this:

 AuthUserFile /home/someuser/public_html/somdirectory/.htpasswd
 AuthGroupFile /home/someuser/public_html/somdirectory/.htgroups
 AuthName "Secure Area"
 AuthType Basic
 require group editors 

Step 2) Create a .htgroups file:

From the Apache manual:

...An authentication group is, as you would expect, a group name associated with a list of members. This list is stored in a group file, which should be stored in the same location as the password file, so that you are able to keep track of these things.

The format of the group file is exceedingly simple. A group name appears first on a line, followed by a colon, and then a list of the members of the group, separated by spaces...

Here is a /home/someuser/public_html/somdirectory/.htgroups file for our example setup:

 editors: jack jill 

Step 3) Create a .htpasswd file using the htpasswd(1) command:

 htpasswd -nmb jack bucket >>.htpasswd
 htpasswd -nmb jill pail >>.htpasswd 

or, if you don't want the passwords in your command history, you can type them in at a prompt:

 htpasswd -nm jack >>.htpasswd
 htpasswd -nm jill >>.htpasswd 

Step 4) Set permissions if necessary.

 chmod 644 .ht* 

Step 5) Test and celebrate.

Files in your directory should now be accessible only by the users in your group.

Improving On The Basic Setup

You should keep your .htpasswd and .htgroups files somewhere outside your web document tree. Here are steps to create a directory and move them there:

 mkdir -p /home/someuser/htaccess
 mv .htpasswd /home/someuser/htaccess
 mv .htgroups /home/someuser/htaccess 

Change the AuthUserFile and AuthGroupFile in your .htaccess file to reflect the new path to .htpasswd and .htgroups:

 AuthUserFile /home/someuser/htaccess/.htpasswd
 AuthGroupFile /home/someuser/htaccess/.htgroups 

Protecting Specific Files

If you only want to protect a specific file or files, you can easily do so. To protect only the file "admin.php" change the .htaccess file to the following, which presumes you moved the files outside the web document tree as specified above:

 AuthUserFile /home/someuser/htaccess/.htpasswd
 AuthGroupFile /home/someuser/htaccess/.htgroups
 AuthName "Secure Area"
 AuthType Basic

 <Files admin.php>
  require group editors

That's it! I've tested the steps outlined in this guide several times and I believe they're error-free. If you think this guide can be improved in some way, let me know.

– Hagan Fox

Copyright © 2004, 2005 Hagan Fox. All rights reserved (Printable View of

Edit - History - Print - Recent Changes - Search
Page last modified on September 05, 2005, at 12:06 PM EST