How to password protect a directory (and subdirectories) with Apache

Password Protecting Websites

This is a rough tutorial to password protecting websites running on a server using Apache software (such as this one). This guide is not complete, nor inclusive, merely a way to get things protected quickly, easily and safely. For more information, see apache.org, although I warn you, it can be confusing and hardly helpful, and not for a quick how-to.

There are 2 main elements to setting up passwords:
.htaccess file
the users file

The .htaccess File

.htaccess is the standard name defined by Apache for the password settings file, which applies per directory and sub-directories. The contents of this file will specify how access should be handled.

A common .htaccess file will look like this:
AuthType Basic AuthName "Password Required" AuthUserFile /home/myname/public_html/myfolder/.htusers order deny,allow deny from all require valid-user satisfy any
The above settings mean the following:
AuthTyoe Basic : Use standard security, acceptable for most applications
AuthName "Password Required" : What will be displayed as the prompt for verification (i.e. the words in the pop-up box).
AuthUserFile ... : Where the file is located that contains the users name and their password (stored encrypted). [see below]

orderr deny,allow deny from all : By default, deny access from any IP
require valid-user : Only allow a validated user to enter
satisfy any : As long as 1 of the above parameters are met, allow access

Running example: Try to log-in here

The User File

This file, the name of which is specified in .htaccess, is the list of the user name and password which is accepted by the server.

A common file will look like this:
ralph:WaOaPORZmVKxI rod:W5Jpa/rAskTf6 karen:Tnt1Yjs6Stsec
Or, for the above example:
cows:2AQ.xF9PQzU5I

Try to log in again with username "cows", password "moo". It should work a bit better than before.

In order to generate the encrypted passwords, systems will usually provide a utility such as htpasswd, which will generate the user file and store the user and provided password in it. Currently, this server does not have the htpasswd utility, however, you can use the php provided by Karen Friesen and Rod Apeldoorn to create the encrypted passwords.
http://www.crazygrrl.com/weav/htaccess/crypt.php3
User: weav
Password: fred

Further Elaboration

Why the file is named .htaccess and not just htaccess?
Well, in a UNIX system, any files starting with a period (e.g. .htaccess), are consider by default as hidden files, therefore, when you list directory contents, they will not typically be displayed (although they are there and can be viewed with the right commands). Since apache was initally developed for the Unix world, they naturally disallow access to any file that is .name hidden.

Created by:
Michael Thompson