Recently a reader asked about how to password-protect a directory for every specified IP while allowing open access to everyone else. In my article, Stupid htaccess Tricks, I show how to password-protect a directory for every IP except the one specified, but not for the reverse case. In this article, I will demonstrate this technique along with a wide variety of other useful password-protection tricks, including a few from my Stupid htaccess Tricks article. Before getting into the juicy stuff, we’ll review a few basics of HTAccess password protection.
HTAccess password protection works in cascading fashion
Before we begin, there are few things you need to know about Apache’s various password-protection directives. First, these password-protection tricks apply to the directory in which they are placed. For example, to password-protect your entire site, you would place one of these tricks in the web-accessible root HTAccess file for your site. HTAccess directives are applied down the directory structure, in cascading fashion, such that all subdirectories are also protected.
You need two files for password protection: htaccess and htpasswd
The second thing you need to know is that, in most cases, there are two parts to any password-protection implementation: the
htaccess file and the
htpasswd file. The
htaccess file will contain any of the sweet tricks provided in this article, while the
htpasswd file will contain the required username and an encrypted version of your password.
There are several ways to generate your
htpasswd file. If you are comfortable with Unix, you can simply run the “
htpasswd” command. For example, entering the following command will create a working password file in the
htpasswd -bc /home/path/.htpasswd username password
Placing the password file above the web-accessible root directory is a good security measure. If you examine the file after it has been created, the only thing it will contain is a line that looks similar to this:
Instead of running a Unix command, you may prefer to use one of the 200,000 online services providing an online password generator.
Regardless of how or where you decide to create your
htpasswd file, keep its location in mind for use in its associated HTAccess file(s). And yes, you may use one
htpasswd file for multiple HTAccess files placed in multiple directories.
Know which version of Apache you are using
In each of the examples below, the directives are enclosed within an
<IfModule> container. This is to prevent your server from crashing if the required Apache modules are not available or not installed. Generally, the required modules will be present, but the
<IfModule> check is a good precautionary measure.
When implementing any of the password-protection methods in this article, make sure you double-check which version of Apache you are using before you begin. The examples in this article assume you are using either Apache 1.3 or 2.0, as the
<IfModule> containers are checking for the presence of the
mod_auth module. Thus, if you are running Apache 2.2 (or better), you will want to replace the current
<IfModule> containers with the following:
If in doubt, ask your host, install the ShowIP Firefox extension, or dig around in your server’s control panel. And, if you just don’t know, don’t care, or can’t figure it out, just remove the opening and closing
<IfModule> tags from the method you would like to use and call it good. Without them, if your server is not equipped the required module, it will simply return a 500 error message, which is easily resolved by removing the password directives.
You can customize the dialogue on the password prompt
The last thing that you should know before diving into some sweet tricks is that you may customize the message shown on the password prompt by editing the following line in each of the examples in this article:
AuthName "Username and password required"
By changing the text inside of the quotes, you may use any language you wish for the password prompt.
At this point, we’re ready to dive into some juicy HTAccess password-protection tricks!
Basic password protection
To password protect your site or any directory, place this code in the associated HTAccess file:
# basic password protection <IfModule mod_auth.c> AuthUserFile /home/path/.htpasswd AuthName "Username and password required" AuthType Basic <Limit GET POST> Require valid-user </Limit> </IfModule>
That’s about as basic as it gets. Remember to create your password file and specify its directory in the first line. Let’s move on to something more interesting.
Open-access for a single IP, password-protect for everyone else
This method is great during project development, where you want open access with the ability to give others access via password:
# password protect excluding specific ip <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Deny,Allow Deny from all Allow from 111.222.333.444 Satisfy Any </IfModule>
By placing that code into the HTAccess file of the directory that you would like to protect, only the specified IP will be allowed open access; everyone else will need to enter the proper username and password.
Open access for multiple IPs, password-protect for everyone else
The above code may be modified easily to provide multiple IPs open access while denying everyone else:
# password protect excluding specific ips <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Deny,Allow Deny from all Allow from localhost Allow from 111.222.333.444 Allow from 555.666.777.888 Satisfy Any </IfModule>
You may add as many IPs as needed. This method is great during project development, where the following conditions will apply:
- Project development remains private for regular visitors
- Project access may be granted to clients (or anyone) by providing the password
- Members of the development team have open access on their respective machines
In addition to providing unrestricted access to your team, you may also want to keep certain web services in mind by including the following directives (insert above the
Satisfy Any directive):
Allow from validator.w3.org
Allow from jigsaw.w3.org
Allow from google.com
Open access for everyone with password-protect for specific IPs
This method is useful for a variety of situations, including cases where you would like to block a list of malicious IPs.
# password protect only for specified ips <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Allow,Deny Allow from all Deny from 111.222.333.444 Deny from 555.666.777.888 Satisfy Any </IfModule>
You may list as many IP addresses as necessary. You may also deny from entire IP blocks by truncating the address accordingly. For example, to block everyone coming from an IP address beginning with “
999.888”, we would add the following directive:
Deny from 999.888
For more information on how this works, see this section of my Stupid htaccess Tricks article.
Open access for everyone with password-protect for specific CIDR number
Similar to the previous method, here is a technique for requiring a password only from a select CIDR number. This method is useful for blocking mega-spammers such as RIPE, Optinet, and others. If, for example, you find yourself adding line after line of Apache
Deny directives for addresses beginning with the same first few numbers, choose one of them and try a whois lookup. Listed within the whois results will be the CIDR value representing every IP address associated with that particular network. Thus, blocking via CIDR is an effective way to eloquently prevent all IP instances of the offender from accessing your site. Here is a generalized example for blocking by CIDR:
# password protect only for specified CIDR <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Allow,Deny Allow from all Deny from 10.1.0.0/16 Deny from 80.0.0/8 Satisfy Any </IfModule>
Password protect a single file
I have used this technique countless times. To password-protect a single file, simply add this to your HTAccess file:
# password protect single file <IfModule mod_auth.c> <Files "protected.html"> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic </Files> </IfModule>
Here we are protecting a file named “
protected.html” from access. The file will only be available after submission of the proper username and password.
Password protect multiple files
To protect multiple files, the method is very similar, only this time we are using Apache’s
FilesMatch directive. This allows us to list as many files as needed:
# password protect mulitple files <IfModule mod_auth.c> <FilesMatch "(protected\.html)|(passwords\.txt)"> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic </FilesMatch> </IfModule>
In this example, we are password protecting two files, “
protected.html” and “
passwords.txt”. To add more, simply include more instances of “
|(filename\.ext)” in the list of files.
Password protect multiple file types
With this method, we are using Apache’s
FilesMatch directive to password-protect multiple file types. Here is an example:
# password protect mulitple file types <IfModule mod_auth.c> <FilesMatch "\.(inc|txt|log|dat|zip|rar)$"> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic </FilesMatch> </IfModule>
Once in place, this code will require a password for access to the following file types:
.rar. Customize to suit your needs.
Password protection for everything except a single file
Thanks to Brett Batie for this powerful technique for allowing access to a single file while password-protecting everything else:
# password protect everything except a single file <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic <Files "open-access.html"> Order Deny,Allow Deny from all Allow from 123.456.789 Satisfy any </Files> </IfModule>
When placed in the root directory or any parent directory, this code will password-protect everything except the file named “
open-access.html”, which itself may be located in any subsequent directory or subdirectory.
To protect everything while allowing access to multiple files, we may use Apache’s
FilesMatch directive instead. Here is an example allowing access to “
open-access-2.html”, and “
# password protect everything except specified files <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic <FilesMatch "(open-access-1.html)|(open-access-2.html)|(open-access-3.html)"> Order Deny,Allow Deny from all Allow from 123.456.789 Satisfy any </FilesMatch> </IfModule>
Note that we may consolidate the file list as follows:
An alternative approach to allowing open access to any file or group of files is to locate them in their own directory with the following directives added to its HTAccess file:
Allow from all
Wrap it up then
As you can see, Apache’
mod_auth functionality makes it possible to configure just about password-protection setup you may need. From preventing access from specific IP addresses and domains to allowing access only for specific files and directories, Apache makes it possible to protect your files easily and securely. And we haven’t even gotten into the many possibilities available for configuring specific user and group authorizations. I think I’ll save that for another article. In the meantime, for more information on Apache’s powerful
mod_auth, check out the Official Documentation.