Re: Hiding directory contents from HTTP

On Tue, 20 Dec 2005 17:37:51 -0800, Peter Pearson mumbled something like

> Rincewind wrote:
>> His ISP will definitely not allow him to play with their httpd.conf!
>> He could probably use .htaccess and htpasswd if he has shell access to
>> the server.
> I could ftp .htaccess and htpasswd to the server, but I gather it's not
> cool to put htpasswd in a web-visible place.
> Thanks for thinking about this for me.

htpasswd is the command that is used to create and manage the access
file(s), not a file that you would ftp up. It is usually located in
/usr/bin on a *nix system.

You are correct that you could probably ftp a .htaccess file and a
password file to your site, but you will need to be able to locate the
password file where it cannot be accessed by browsers. The .htaccess file
should point to this location and should be stored in the directory you
want to protect. The following example uses groups as well as users, but
you don't need to create the .group file if not required.

Here is an example .htaccess:

AuthType Basic
AuthUserFile /home/mysite/logs/.passwd
AuthGroupFile /home/mysite/logs/.group
<Limit GET POST>
require valid-user

and the command to create the .passwd file containing 'jim' would be:

htpasswd -c /home/mysite/logs/.passwd jim

You will then be prompted for the password and the file will be created.
Amend the paths to something appropriate for your circumstances.

A study of the relevant man pages would also help.

/ \


Relevant Pages

  • Re: Reading from the htpasswd file
    ... either Apache has to parse .htpasswd, or PHP has to parse the flat-file where all the passwords are stored. ... Do not actually know how Apache parses the .htpasswd file, but would imagine internally it's roughly similar to how you'd do it in PHP, i.e., ... So, unless you have an SSL connection, or don't care if anyone snoops your credentials, using ..htaccess is not always the best way to log in. ...
  • Re: webdav security problem
    ... You could probably go for implementing .htaccess and .htpasswd ... only authorized users will only be able to access the ... Information Security Analyst ...
  • .htpasswd and .htaccess - security-path
    ... I want zu install a security-path with .htaccess and .htpasswd on my privat ... I succeeded with a .htaccess and Error 404-adressing a special Error-page ...
  • Re: securing host username password
    ... i upload them using ascii mode ... .htaccess was placed in directory i want protected ... .htpasswd got placed in my public_html folder ...
  • Re: [SLE] .htaccess in 8.2 pro
    ... On Monday 11 August 2003 06.09, Count Schemula wrote: ... and can't get .htaccess to work with apache. ... > even though the user in in the password file. ... # AllowOverride controls what directives may be placed in .htaccess files. ...