How do I limit access to my web pages?
Note: This information applies primarily to Apache and NCSA HTTPd web servers; at Indiana University, Apache runs on Pages and Webserve. It also assumes you are using a Unix-based text editor from inside your Unix account.
On this page:
- About the
- Setting up the restricted directory
- Setting up the
- Setting up the password file
An easy way to control access to web pages on your site is to use
.htaccess files. You can use these to password-protect an
entire directory, but not individual files within the directory.
.htaccess file, which resides inside the restricted
directory, alerts the web browser of the restriction and determines if
a given username is authorized to view the directory. If the username
is correct, it passes the authorized user on to the password file.
The following instructions outline the setup of a simple user
.htaccess file. This process is for a
typical Unix account. Depending on which Unix shell you are
using and the way your local server is set up, the exact procedure may
vary. This simplified process consists of three parts: setting up the
directory you wish to restrict, setting up the
file, and setting up the password file.
Note: At IU Bloomington, your Pages web page
actually resides on a particular volume of the HPNFS server. If you do
not list your file paths correctly, you will not be able to set up
Setting up the restricted directory
To restrict access to your files, you must first move them all to a
single subdirectory of your
www directory (e.g.,
www/restricted). Once you have created this subdirectory
and moved your files to it, be sure to set the permissions so that the
files are executable and readable from your web browser. To set
permissions for directories, in the parent directory of the directory
you want to change, enter:
directoryname with the name of the directory
whose permissions you want to set.
To set permissions for files, in the directory containing the files, enter:chmod 644 filename
filename with the name of the file whose
permissions you want to set.
Setting up the
.htaccess file sets up a path to the password file
.file-password) and tells the computer which users are
allowed to access that file.
To set up your
.htaccess file, open a text editor (e.g.,
Emacs, vi, or Pico), and name the new
.htaccess . This file must be
in the same directory as the password-protected pages. You must also
set the permissions on this file so that it is readable from your web
browser. At the command line enter:
Here is a generic example of a simple
On Pages accounts at IU, the path to the password file is different
from the example given above. It must include the
volume of the NFS server that actually serves your Pages
files. A good
AuthUserFile line for accounts on
Mercury would be:
lskywalker with your username.
Following is an explanation of each variable of the
||This variable references the
||This variable should point to
||This variable simply refers to the title for the authentication box
that pops up when your browser tries to access the contents of the
restricted directory. This message can be anything you like, but
recent versions of Apache require you to enclose it in quotes. If you
leave it blank, the default name will be
||This variable must be set to
||Set this variable type to
||This line is a list of usernames for people who are authorized to
view the restricted directory. In this line, enter the usernames of
those users for whom you wish to grant access.
Note: Don't forget to include your username in the list. Otherwise, the password screen will keep you from seeing your own files.
Setting up the password file
Once you have finished editing your
.htaccess file, you
can create a password file. This file is a plain text file with
passwords encrypted using the one-way encryption
call. On many Unix systems, the task of setting up the password file
is automated with the
Note: Your password for web pages should not be the same as the password you use to access your central web and email accounts. Although your password file will be encrypted, it is still very easy to crack passwords using commonly available cracking programs. For this reason, your password should never be a real word or any other password that could be easily guessed; see Passwords and passphrases.
To set up your password file with
cdto exit the subdirectory where you set up your
.htaccessfile, and then enter: htpasswd -c ~/.file-password username
usernamewith your username. When you run this command,
htpasswdwill automatically generate the
.file-passwordfile and will prompt you for a password.
htpasswdprogram will then ask you to confirm your password. If you set up the password correctly, the password and username will be in your password file.
- To add additional users to the password file, run
-cflag. For example, to add the username
hsoloto the password file, you would enter: htpasswd ~/.file-password hsolo
When prompted, enter the password for
- Finally, to make your files world readable, enter the following
command for each password file:
chmod 644 filename
filenamewith the name of your password file (e.g.,
.file-password), and enter the password for your new user when prompted.
Now, when you try to access the restricted directory from a web
browser, the browser will bring up a password protection window. Enter
a valid username to view the restricted files. If you wish to remove
the password restrictions for files in the directory, you must either
move the files to another directory or remove the
Unfortunately, there is no other simple way to restrict access to a
directory or to individual files within a directory. If you want to
restrict access to a directory without having to enter all of the
authorized usernames, create an easily remembered username (such as
guest) and password (such as
release it to the people whom you want to have access. Be aware that
if you do this, you lose some control over who can access your files.
If you wish to change access restrictions, you will have to edit your
.htaccess and password files.
Last modified on January 13, 2014.