Re: Hiding directory contents from HTTP



On Tue, 20 Dec 2005 17:37:51 -0800, Peter Pearson mumbled something like
this:

> Rincewind wrote:
>>
>> His ISP will definitely not allow him to play with their httpd.conf!
>>
>> He could probably use .htaccess and htpasswd if he has shell access to
>> the server.
>
> I could ftp .htaccess and htpasswd to the server, but I gather it's not
> cool to put htpasswd in a web-visible place.
>
> Thanks for thinking about this for me.

htpasswd is the command that is used to create and manage the access
file(s), not a file that you would ftp up. It is usually located in
/usr/bin on a *nix system.

You are correct that you could probably ftp a .htaccess file and a
password file to your site, but you will need to be able to locate the
password file where it cannot be accessed by browsers. The .htaccess file
should point to this location and should be stored in the directory you
want to protect. The following example uses groups as well as users, but
you don't need to create the .group file if not required.

Here is an example .htaccess:

AuthType Basic
AuthName "MYSITE LOGIN"
AuthUserFile /home/mysite/logs/.passwd
AuthGroupFile /home/mysite/logs/.group
<Limit GET POST>
require valid-user
</Limit>

and the command to create the .passwd file containing 'jim' would be:

htpasswd -c /home/mysite/logs/.passwd jim

You will then be prompted for the password and the file will be created.
Amend the paths to something appropriate for your circumstances.

A study of the relevant man pages would also help.

--
Rinso
/\
/ \
/wizz\
~~~~~~~~~~~~

.