Password Protection and Authentication Locking down Apache with .htaccessApril 10th, 2007
« Speed up your site with Caching and cache-controlSecurity with Apache htaccess Tutorial »
How to password-protect, Allow or Deny a visitor based on a condition. If you are having trouble getting htaccess-based password protection to work see: Troubleshooting htaccess Authentication: Getting it to work
Generate Your authentication htpasswd files with my free Online Password Generator!
« Speed up your site with Caching and cache-control | .htaccess Tutorial Index | » Security with Apache htaccess
<Files login.php> Order deny,allow Deny from all AuthName "htaccess password prompt" AuthType Basic AuthUserFile /home/askapache.com/.htpasswd Require valid-user </Files>
<FilesMatch "^(exec|env|doit|phpinfo|w)\.*$"> Order deny,allow Deny from all AuthName "htaccess password prompt" AuthUserFile /.htpasswd AuthType basic Require valid-user </FilesMatch>
Order deny,allow Deny from all Allow from 10.1.0.0/255.255.0.0
Order deny,allow Deny from all Allow from 10.1.2.3
Order deny,allow Deny from all Allow from 192.168.1.104 192.168.1.205
Order deny,allow Deny from all Allow from 10.1 Allow from 10 172.20 192.168.2
Order deny,allow Deny from all Allow from 10.1.0.0/16
Order deny,allow Deny from all Allow from 2001:db8::a00:20ff:fea7:ccea Allow from 2001:db8::a00:20ff:fea7:ccea/10
Order Allow,Deny Allow from apache.org Deny from wireshark.apache.org
Order deny,allow Deny from all AuthName "htaccess password prompt" AuthUserFile /home/askapache.com/.htpasswd AuthType Basic Require valid-user Allow from 172.17.10.1 Satisfy Any
I use this when I start a new site, and uncomment or delete parts of the file depending on the sites needs
#
# DEFAULT SETTINGS
#
Options +ExecCGI -Indexes
DirectoryIndex index.php index.html index.htm
ErrorDocument 400 /cgi-bin/error.php
ErrorDocument 401 /cgi-bin/error.php
ErrorDocument 403 /cgi-bin/forbidden.cgi
ErrorDocument 404 /404.html
ErrorDocument 405 /cgi-bin/error.php
ErrorDocument 406 /cgi-bin/error.php
ErrorDocument 409 /cgi-bin/error.php
ErrorDocument 413 /cgi-bin/error.php
ErrorDocument 414 /cgi-bin/error.php
ErrorDocument 500 /cgi-bin/error.php
ErrorDocument 501 /cgi-bin/error.php
### DEFAULTS
ServerSignature Off
AddType video/x-flv .flv
AddType application/x-shockwave-flash .swf
AddType image/x-icon .ico
AddDefaultCharset UTF-8
AddLanguage en-US .html .htm .txt .xml .php
SetEnv TZ America/Indianapolis
SetEnv SERVER_ADMIN webmaster@askapache.com
### PHPINI-CGI
#AddHandler php-cgi .php
#Action php-cgi /cgi-bin/php5.cgi
### FAST-CGI
#AddHandler fastcgi-script .fcg .fcgi .fpl
#AddHandler php5-fastcgi .php
#Action php5-fastcgi /cgi-bin/fastcgi.fcgi
#
# HEADERS and CACHING
#
# 1 YEAR
<FilesMatch "\.(flv|ico|pdf)$">
Header set Cache-Control "max-age=29030400, public"
</FilesMatch>
# 1 WEEK
<FilesMatch "\.(jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
# 3 HOUR
<FilesMatch "\.(txt|xml|js|css)$">
Header set Cache-Control "max-age=10800"
</FilesMatch>
# 1 MIN
<FilesMatch "\.(html|htm|php)$">
Header set Cache-Control "max-age=0, private, no-store, no-cache, must-revalidate"
Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"NOI DSP COR NID CUR ADM DEV OUR BUS\""
Header set imagetoolbar "no"
</FilesMatch>
#
# REWRITES AND REDIRECTS
#
### SEO REDIRECTS
#Redirect 301 /ssl-ns.html /2006/htaccess/apache-ssl-in-htaccess-examples.html
#Redirect 301 /ht.tml
#Redirect 301 /index.html /
#RedirectMatch 301 /2006/htaccess-forum/(.*) /2006/htaccess/$1
#RedirectMatch 301 /(.*)rfc2616(.*) http://rfc.askapache.com/rfc2616/rfc2616.html
#RedirectMatch 301 /phpmanual(.*) /manual/en/$1
### REWRITES
RewriteEngine On
RewriteBase /
### WORDPRESS
#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteBase /
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule . /index.php [L]
#</IfModule>
### REQUIRE WWW
#RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]
#RewriteRule ^(.*)$ /$1 [R=301,L]
### STOP LOOP CODE
#RewriteCond %{ENV:REDIRECT_STATUS} 200
#RewriteRule ^.*$ - [L]
### REDIRECT BLOG FEED TO FEEDBURNER
#RewriteCond %{HTTP_USER_AGENT} !^.*(FeedBurner|FeedValidator|Recent) [NC]
#RewriteRule ^feed/?.*$ http://feeds.feedburner.com/apache/htaccess [L,R=302]
### BLOCK WGET
#RewriteCond %{HTTP_USER_AGENT} ^Wget.* [NC]
#RewriteRule .* /cgi-bin/forbidden.cgi [L]
#
# AUTHENTICATION
#
### BASIC PASSWORD PROTECTION
#AuthName "Prompt"
#AuthUserFile /home/askapache.com/.htpasswd
#AuthType basic
#Require valid-user
### UNDER CONSTRUCTION PROTECTION
#AuthName "Under Development"
#AuthUserFile /home/askapache.com/.htpasswd
#AuthType basic
#Require valid-user
#Order Deny,Allow
#Deny from all
#Allow from 23.23.23.1 w3.org googlebot.com google.com google-analytics.com
#Satisfy Any
« Speed up your site with Caching and cache-control | .htaccess Tutorial Index | » Security with Apache htaccess
« Speed up your site with Caching and cache-controlSecurity with Apache htaccess Tutorial »
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee
It's very simple -
you read the protocol
and write the code.
-Bill Joy
HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C | WAI | DISA | ICSI | GIAC | SANS RR | GHOST
Authority: 110 ↑ TOPExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed according to these terms. "Apache" is a trademark of The ASF.
Hi,
I encountered this problem.
I have
.htaccessfile:and
c.htpasswdfileWhen I log in into the protected page for the first time I enter chris:a2wssd and I am allowed to enter the page. Next I change password in the
c.httpasswdfile intoa2ws4ss. And I still have access to the page just using refresh button in my Firefox browser.It looks like the Apache server didn’t notice that I have change the password value in the mean time. What’s wrong? I need to stop immediately the access to the protected page by changing the password in the file.
Regards chris
Thanks for the snippets, I pasted them into my blog since I tend to forget them very easily :)
Just one question: why do you think it’s better to put ErrorDocument override in .htaccess files rather than vhost definitions?
I place them in vhost definition files because they don’t ever change (almost). I guess it’s just a matter of personal taste though
Thanks mate :)
@ Fred
Absolutely right. Thanks for the heads, thats a pretty big foul up on my part.
Regarding “Require password for 1 file only”, shouldn’t this:
be this:
Your example allowed anyone on in two of my systems because of lack of a deny clause. Adding the two lines solved it.
I deactivated the plugin, tried to modify the .htaccess in wp-admin, but still cannot get into my admin panel. Help!!!!!!
[...] Authentication on Apache [...]