Apache .htaccess Access Control Configuration

From Wiki
Jump to: navigation, search

The .htaccess file must be placed in the directory you want protected. It must contain the following:

AuthUserFile /var/www/<server_name>/htdocs/<directory_name>/.htpasswd
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
require valid-user

.htpasswd is the list of authorized usernames and passwords. The format is as follows:

username1:password1
username2:password2
...

Passwords are in an encrypted form. Use the command htpasswd to create them:

htpasswd [-c] passwordfile username

Only use the -c option one time, or it will wipe out the contents of any existing .htaccess file

It is suggested that both .htaccess and .htpasswd by owned by root:root and have 0644 permissions.

You might also want to customize the response given to an unauthorized access attempt ("401: Unauthorized"). The following line is an example of what you can add to .htaccess:

ErrorDocument 401 http://www.my_server.com/401.html

This will direct unauthorized requests to the file "401.html" in the htdocs root directory

This can be done for any of the error codes ("404: Not found" and "403: Forbidden", for example).