HTAccess Password-Protection Tricks
Recently a reader asked about how to password-protect a directory for every specified IP while allowing open access to everyone else. In my article, Stupid htaccess Tricks, I show how to password-protect a directory for every IP except the one specified, but not for the reverse case. In this article, I will demonstrate this technique along with a wide variety of other useful password-protection tricks, including a few from my Stupid htaccess Tricks article. Before getting into the juicy stuff, we’ll review a few basics of HTAccess password protection.
HTAccess password protection works in cascading fashion
Before we begin, there are few things you need to know about Apache’s various password-protection directives. First, these password-protection tricks apply to the directory in which they are placed. For example, to password-protect your entire site, you would place one of these tricks in the web-accessible root HTAccess file for your site. HTAccess directives are applied down the directory structure, in cascading fashion, such that all subdirectories are also protected.
You need two files for password protection: htaccess and htpasswd
The second thing you need to know is that, in most cases, there are two parts to any password-protection implementation: the .
htaccess
file and the .
htpasswd
file. The .
htaccess
file will contain any of the sweet tricks provided in this article, while the .
htpasswd
file will contain the required username and an encrypted version of your password.
There are several ways to generate your .
htpasswd
file. If you are comfortable with Unix, you can simply run the “htpasswd
” command. For example, entering the following command will create a working password file in the /home/path/
directory:
htpasswd -bc /home/path/.htpasswd username password
Placing the password file above the web-accessible root directory is a good security measure. If you examine the file after it has been created, the only thing it will contain is a line that looks similar to this:
username:Mx1lbGn.nkP8
Instead of running a Unix command, you may prefer to use one of the 200,000 online services providing an online password generator.
Regardless of how or where you decide to create your .
htpasswd
file, keep its location in mind for use in its associated HTAccess file(s). And yes, you may use one .
htpasswd
file for multiple HTAccess files placed in multiple directories.
Know which version of Apache you are using
In each of the examples below, the directives are enclosed within an <IfModule>
container. This is to prevent your server from crashing if the required Apache modules are not available or not installed. Generally, the required modules will be present, but the <IfModule>
check is a good precautionary measure.
When implementing any of the password-protection methods in this article, make sure you double-check which version of Apache you are using before you begin. The examples in this article assume you are using either Apache 1.3 or 2.0, as the <IfModule>
containers are checking for the presence of the mod_auth
module. Thus, if you are running Apache 2.2 (or better), you will want to replace the current <IfModule>
containers with the following:
<IfModule mod_authn_file.c></IfModule>
If in doubt, ask your host, install the ShowIP Firefox extension, or dig around in your server’s control panel. And, if you just don’t know, don’t care, or can’t figure it out, just remove the opening and closing <IfModule>
tags from the method you would like to use and call it good. Without them, if your server is not equipped the required module, it will simply return a 500 error message, which is easily resolved by removing the password directives.
You can customize the dialogue on the password prompt
The last thing that you should know before diving into some sweet tricks is that you may customize the message shown on the password prompt by editing the following line in each of the examples in this article:
AuthName "Username and password required"
By changing the text inside of the quotes, you may use any language you wish for the password prompt.
So now at this point in our adventure, we’re ready to dive into some juicy HTAccess password-protection tricks..
Basic password protection
To password protect your site or any directory, place this code in the associated HTAccess file:
# basic password protection
<IfModule mod_auth.c>
AuthUserFile /home/path/.htpasswd
AuthName "Username and password required"
AuthType Basic
<Limit GET POST>
Require valid-user
</Limit>
</IfModule>
That’s about as basic as it gets. Remember to create your password file and specify its directory in the first line. Let’s move on to something more interesting.
Open-access for one IP, password-protect everyone else
This method is great during project development, where you want open access with the ability to give others access via password:
# password protect excluding specific ip
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from 111.222.333.444
Satisfy Any
</IfModule>
By placing that code into the HTAccess file of the directory that you would like to protect, only the specified IP will be allowed open access; everyone else will need to enter the proper username and password.
Open access multiple IPs, password-protect everyone else
The above code may be modified easily to provide multiple IPs open access while denying everyone else:
# password protect excluding specific ips
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 111.222.333.444
Allow from 555.666.777.888
Satisfy Any
</IfModule>
You may add as many IPs as needed. This method is great during project development, where the following conditions will apply:
- Project development remains private for regular visitors
- Access may be granted to clients (or anyone) by providing the password
- Members of the development team have open access on their respective machines
In addition to providing unrestricted access to your team, you may also want to keep certain web services in mind by including the following directives (insert above the Satisfy Any
directive):
Allow from validator.w3.org
Allow from jigsaw.w3.org
Allow from google.com
Open access for everyone with password-protect for specific IPs
This method is useful for a variety of situations, including cases where you would like to block a list of malicious IPs.
# password protect only for specified ips
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Allow,Deny
Allow from all
Deny from 111.222.333.444
Deny from 555.666.777.888
Satisfy Any
</IfModule>
You may list as many IP addresses as necessary. You may also deny from entire IP blocks by truncating the address accordingly. For example, to block everyone coming from an IP address beginning with “999.888
”, we would add the following directive:
Deny from 999.888
For more information on how this works, see this section of my Stupid htaccess Tricks article.
Open access for everyone with password-protect for specific CIDR number
Similar to the previous method, here is a technique for requiring a password only from a select CIDR number. This method is useful for blocking mega-spammers such as RIPE, Optinet, and others. If, for example, you find yourself adding line after line of Apache Deny
directives for addresses beginning with the same first few numbers, choose one of them and try a whois lookup. Listed within the whois results will be the CIDR value representing every IP address associated with that particular network. Thus, blocking via CIDR is an effective way to eloquently prevent all IP instances of the offender from accessing your site. Here is a generalized example for blocking by CIDR:
# password protect only for specified CIDR
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Allow,Deny
Allow from all
Deny from 10.1.0.0/16
Deny from 80.0.0/8
Satisfy Any
</IfModule>
Password protect a single file
I have used this technique countless times. To password-protect a single file, simply add this to your HTAccess file:
# password protect single file
<IfModule mod_auth.c>
<Files "protected.html">
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
Require valid-user
AuthType Basic
</Files>
</IfModule>
Here we are protecting a file named “protected.html
” from access. The file will only be available after submission of the proper username and password.
Password protect multiple files
To protect multiple files, the method is very similar, only this time we are using Apache’s FilesMatch
directive. This allows us to list as many files as needed:
# password protect mulitple files
<IfModule mod_auth.c>
<FilesMatch "(protected\.html)|(passwords\.txt)">
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
Require valid-user
AuthType Basic
</FilesMatch>
</IfModule>
In this example, we are password protecting two files, “protected.html
” and “passwords.txt
”. To add more, simply include more instances of “|(filename\.ext)
” in the list of files.
Password protect multiple file types
With this method, we are using Apache’s FilesMatch
directive to password-protect multiple file types. Here is an example:
# password protect mulitple file types
<IfModule mod_auth.c>
<FilesMatch "\.(inc|txt|log|dat|zip|rar)$">
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
Require valid-user
AuthType Basic
</FilesMatch>
</IfModule>
Once in place, this code will require a password for access to the following file types: .inc
, .txt
, .log
, .dat
, .zip
, and .rar
. Customize to suit your needs.
Password protection for everything except a single file
Thanks to Brett Batie for this powerful technique for allowing access to a single file while password-protecting everything else:
# password protect everything except a single file
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
Require valid-user
AuthType Basic
<Files "open-access.html">
Order Deny,Allow
Deny from all
Allow from 123.456.789
Satisfy any
</Files>
</IfModule>
When placed in the root directory or any parent directory, this code will password-protect everything except the file named “open-access.html
”, which itself may be located in any subsequent directory or subdirectory.
To protect everything while allowing access to multiple files, we may use Apache’s FilesMatch
directive instead. Here is an example allowing access to “open-access-1.html
”, “open-access-2.html
”, and “open-access-3.html
”:
# password protect everything except specified files
<IfModule mod_auth.c>
AuthName "Username and password required"
AuthUserFile /home/path/.htpasswd
Require valid-user
AuthType Basic
<FilesMatch "(open-access-1.html)|(open-access-2.html)|(open-access-3.html)">
Order Deny,Allow
Deny from all
Allow from 123.456.789
Satisfy any
</FilesMatch>
</IfModule>
Note that we may consolidate the file list as follows:
<FilesMatch "open-access-[1-3]\.html">
An alternative approach to allowing open access to any file or group of files is to locate them in their own directory with the following directives added to its HTAccess file:
Allow from all
satisfy any
Wrap it up then
As you can see, Apache’ mod_auth
functionality makes it possible to configure just about password-protection setup you may need. From preventing access from specific IP addresses and domains to allowing access only for specific files and directories, Apache makes it possible to protect your files easily and securely. And we haven’t even gotten into the many possibilities available for configuring specific user and group authorizations. I think I’ll save that for another article. In the meantime, for more information on Apache’s powerful mod_auth
, check out the Official Documentation.
25 responses to “HTAccess Password-Protection Tricks”
@esthezia: not sure, but it sounds like a path issue. The key to setting up htaccess password protection is making sure that all of the files and paths are available, included, and properly referenced. When this happens for me, I usually triple-check that everything is exactly where it should be.
Nice post Jeff
How can I protect files for certain users, like
user1
can only accessuser1.html
anduser2
can only accessuser2.html
Thanks
@Stone Deft: not sure.. if it isn’t covered in the article, you may want to try google – there is lots of good info on setting up per-user passwords with htaccess.
Thanks Jeff here’s what I did :
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/mySite/.htpasswds/.htpasswd
AuthGroupFile /dev/null
Require valid-user
require user stonedeft
Cheers
Thanks for the follow-up, Stone – great to hear you found a solution :)
I WROTE CODE LIKE THIS:
AuthName "UNDER DEVELOPMENT"
AuthUserFile /home/path/.htpasswd
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from 192.168.10.118
Satisfy Any
BUT I AM STILL PROMPTED PASSWORD ON THE ALLOSED IP
192.168.10.118
PLEASE HELP…..I’M DESPERATE
@Peter: Without looking into it, it is difficult to guess what the issue might be. One thing I can tell you is that setting up htaccess password protection to work properly requires very precise synchronization of all involved components: the .htaccess file, the password file, the IP, and so on. I suggest triple-checking that everything is in fact in place as declared in the various directives.
Thanx for the reply Jeff, but It got me confused because when i have ‘Satisfy any’ in .htaccess file, the website does not require password but when i remove it, every ip address is required password. Anyway thank you for the help, i will try even more checking.
how do I know the site really secure?
sometimes we have done everything but the hackers still can bombard our website
I’ve been struggling with how to password protect individual blogs on a WordPress 3.0 multisite network. Ideally, I need web visitors to arrive at the subdomain URL (subdomain.domain.com) and be required to enter a password to gain access to the blog, but then not be asked for a password for any of the pages within that blog until they close out their browser session. I know you can accomplish this with .htaccess on a directory – but I don’t know how it would work with WordPress 3.0 multisites since they don’t exist in a directory. Any guidance would be appreciated. Thanks!
mod_auth has been deprecated in Version 2 of Apache Server in favor of mod_auth_basic. People trying to use the examples in your most excellent tutorial may find they don’t work with the
<IfModule mod_auth.c>
and</IfModule>
lines left in. Apache 2 will ignore the whole thing when it processes .htaccessThe mod_auth page on Apache’s site says:
Editor’s note: This is addressed directly in the article in the section, “Know which version of Apache you are using”.
I have a pword protected folder (htaccess method) and within that another folder.
When going to
index1.html
in the top folder, a pword is requested.Index1.html
then links toindex2.html
in the next folder and index2 comes up Ok.Index2 has a src link to a m4v movie also in that second folder. But the movie will not load/play without the pword being entered again.
Why is the pword being asked for again?
thank you.