5. What about restricting access by username/password?

It is also possible to protect Web directories by username/password combinations. In order to set this up you should follow these steps if you using the OUCS web server (if you are using a different server contact that system's sysadmin):

  1. Log in to the Linux system linux.ox.ac.uk using your Oxford username and password
  2. Create a file containing usernames and encrypted passwords:

    % htpasswd [-c] passwordfile username

    For example,

    % htpasswd -c /web/users/$USER/cgi/myusers.passwd fred
    Adding user fred
    New password: rubbish (not echoed)
    Re-type new password: rubbish (not echoed)

    The file used to store the passwords should not be in the accessible document tree; the cgi directory is a good location (on linux.ox.ac.uk this can be accessed as /web/users/$USER/cgi).

    The -c flag is only needed the first time that the command is used.

    You will be prompted twice for each user's password. You will need to use the htpasswd command for each user you want to add.

  3. Make sure that the file which holds the passwords is world-readable. For example:
    % chmod a+r /web/users/$USER/cgi/myusers.passwd
  4. The commands to activate the password file are placed in the .htaccess file. As before, this file needs to be placed in the directory where access restriction is to start. For example:

    AuthType Basic
    AuthName my-private-webpages
    AuthUserFile /web/users/aragog.oucs.ox.ac.uk/6/e/fred/cgi/myusers.passwd
    require valid-user
    AuthName can be anything meaningful to the people that need to supply a username and password (note that a value is required). If the name contains spaces, it must be given in quotes. Using the above example, when the username is requested the browser will display "Please enter username for my-private-webpages at users.ox.ac.uk"

    AuthUserFile is the location of the file you created in step [1]. This file is actually held on the web server. Therefore you need to give it a path name which is meaningful to the web server:
    1. Type webhome to obtain the path of your home filestore on the web server. For example:


    2. The path to your cgi directory is then the value returned by "webhome" and with "cgi" appended:


    3. The full pathname then becomes:


  5. Make sure that .htaccess has got world read access:
    % chmod a+r .htaccess
  6. If you want to authenticate by both username/password and client host address, you can use the Satisfy directive in .htaccess to specify whether access is allowed if either test is passed, or if both must be passed (the default).

Up: Contents Previous: 4. How do you restrict access to web pages? Next: 6. Making a custom error page and redirect