Apache Authentication in htaccess

FREE THOUGHT · FREE SOFTWARE · FREE WORLD

Apache Authentication in htaccess

How to password-protect, Allow or Deny a visitor based on a condition. If you are having trouble getting htaccess-based password protection to work see: Troubleshooting htaccess Authentication: Getting it to work

Generate Your authentication htpasswd files with my free Online Password Generator!

| .htaccess Tutorial Index |

Require password for 1 file only

<Files login.php>
Order deny,allow
Deny from all
AuthName "htaccess password prompt"
AuthType Basic
AuthUserFile /home/askapache.com/.htpasswd
Require valid-user
</Files>

Protect multiple files:

<FilesMatch "^(exec|env|doit|phpinfo|w)\.*$">
Order deny,allow
Deny from all
AuthName "htaccess password prompt"
AuthUserFile /.htpasswd
AuthType basic
Require valid-user
</FilesMatch>

Using the Apache Allow Directive in htaccess

network/netmask pair

Order deny,allow
Deny from all
Allow from 10.1.0.0/255.255.0.0

IP address

Order deny,allow
Deny from all
Allow from 10.1.2.3

More than 1 IP address

Order deny,allow
Deny from all
Allow from 192.168.1.104 192.168.1.205

Partial IP addresses, first 1 to 3 bytes of IP, for subnet restriction

Order deny,allow
Deny from all
Allow from 10.1
Allow from 10 172.20 192.168.2

network/nnn CIDR specification

Order deny,allow
Deny from all
Allow from 10.1.0.0/16

IPv6 addresses and subnets

Order deny,allow
Deny from all
Allow from 2001:db8::a00:20ff:fea7:ccea
Allow from 2001:db8::a00:20ff:fea7:ccea/10

Deny subdomains

Order Allow,Deny
Allow from apache.org
Deny from wireshark.apache.org

Allow from IP without password prompt, and also allow from any address with password prompt

Order deny,allow
Deny from all
AuthName "htaccess password prompt"
AuthUserFile /home/askapache.com/.htpasswd
AuthType Basic
Require valid-user
Allow from 172.17.10.1
Satisfy Any

Skeleton .htaccess file to start with

I use this when I start a new site, and uncomment or delete parts of the file depending on the sites needs

Ultimate htaccess file sample

#
#            DEFAULT SETTINGS
#
Options +ExecCGI -Indexes
DirectoryIndex index.php index.html index.htm
 
ErrorDocument 400 /cgi-bin/error.php
ErrorDocument 401 /cgi-bin/error.php
ErrorDocument 403 /cgi-bin/forbidden.cgi
ErrorDocument 404 /404.html
ErrorDocument 405 /cgi-bin/error.php
ErrorDocument 406 /cgi-bin/error.php
ErrorDocument 409 /cgi-bin/error.php
ErrorDocument 413 /cgi-bin/error.php
ErrorDocument 414 /cgi-bin/error.php
ErrorDocument 500 /cgi-bin/error.php
ErrorDocument 501 /cgi-bin/error.php
 
### DEFAULTS
ServerSignature Off
 
AddType video/x-flv .flv
AddType application/x-shockwave-flash .swf
AddType image/x-icon .ico
 
AddDefaultCharset UTF-8
AddLanguage en-US .html .htm .txt .xml .php
 
SetEnv TZ America/Indianapolis
SetEnv SERVER_ADMIN webmaster@askapache.com
 
### PHPINI-CGI
#AddHandler php-cgi .php
#Action php-cgi /cgi-bin/php5.cgi
 
### FAST-CGI
#AddHandler fastcgi-script .fcg .fcgi .fpl
#AddHandler php5-fastcgi .php
#Action php5-fastcgi /cgi-bin/fastcgi.fcgi
 
#
#           HEADERS and CACHING
#
# 1 YEAR
<FilesMatch "\.(flv|ico|pdf)$">
Header set Cache-Control "max-age=29030400, public"
</FilesMatch>
 
# 1 WEEK
<FilesMatch "\.(jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
 
# 3 HOUR
<FilesMatch "\.(txt|xml|js|css)$">
Header set Cache-Control "max-age=10800"
</FilesMatch>
 
# 1 MIN
<FilesMatch "\.(html|htm|php)$">
Header set Cache-Control "max-age=0, private, no-store, no-cache, must-revalidate"
Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"NOI DSP COR NID CUR ADM DEV OUR BUS\""
Header set imagetoolbar "no"
</FilesMatch>
 
#
#          REWRITES AND REDIRECTS
#
### SEO REDIRECTS
#Redirect 301 /ssl-ns.html /2006/htaccess/apache-ssl-in-htaccess-examples.html
#Redirect 301 /ht.tml
#Redirect 301 /index.html /
#RedirectMatch 301 /2006/htaccess-forum/(.*) /2006/htaccess/$1
#RedirectMatch 301 /(.*)rfc2616(.*) http://rfc.askapache.com/rfc2616/rfc2616.html
#RedirectMatch 301 /phpmanual(.*) /manual/en/$1
 
### REWRITES
RewriteEngine On
RewriteBase /
 
### WORDPRESS
#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteBase /
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule . /index.php [L]
#</IfModule>
 
### REQUIRE WWW
#RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]
#RewriteRule ^(.*)$ /$1 [R=301,L]
 
### STOP LOOP CODE
#RewriteCond %{ENV:REDIRECT_STATUS} 200
#RewriteRule ^.*$ - [L]
 
### REDIRECT BLOG FEED TO FEEDBURNER
#RewriteCond %{HTTP_USER_AGENT} !^.*(FeedBurner|FeedValidator|Recent) [NC]
#RewriteRule ^feed/?.*$ http://feeds.feedburner.com/apache/htaccess [L,R=302]
 
### BLOCK WGET
#RewriteCond %{HTTP_USER_AGENT} ^Wget.* [NC]
#RewriteRule .* /cgi-bin/forbidden.cgi [L]
 
#
#           AUTHENTICATION
#
### BASIC PASSWORD PROTECTION
#AuthName "Prompt"
#AuthUserFile /home/askapache.com/.htpasswd
#AuthType basic
#Require valid-user
 
### UNDER CONSTRUCTION PROTECTION
#AuthName "Under Development"
#AuthUserFile /home/askapache.com/.htpasswd
#AuthType basic
#Require valid-user
#Order Deny,Allow
#Deny from all
#Allow from 23.23.23.1 w3.org googlebot.com google.com google-analytics.com
#Satisfy Any

htaccess Guide Sections

| .htaccess Tutorial Index |

«
»

Leave your own comment

Reader Comments

  1. Tra ~

    i found this to be an informative and interesting blog.. very useful and knowledge able. Thank you for the efforts you have made in writing this authentication article. Your writing abilities have inspired me..

  2. AK ~

    Your “Allow from IP without password prompt, and also allow from any address with password prompt” example is exactly what I was looking for. Thank you!

  3. Apache Development ~

    I am encountering a problem where I get a 404 page every time I put Require valid-user into the .htaccess of a folder. Any ideas why this might be happening?

  4. martin ~

    Great article, thank you!

  5. Fred ~

    Bobby, create an .htaccess file in your wp-admin directory following the contents listed in “Allow from IP without password prompt, and also allow from any address with password prompt”.

    The “Allow from 172.17.10.1″ should contain your static IP address if you have one, or that of your client if you are building this site for someone else to access. Of course, you can add more than one line in that format. It will allow anyone arriving from an IP in the Allow statement(s) to access the WPAdmin login screen without having the enter the Apache Username/Password combination. Everyone else will be stopped at the Apache login screen, and if they authenticate there they will then receive the WP login screen. I do this on over 100 WP sites.

  6. Bobby Kozora ~

    I’m trying to use apache authentication as added protection to the password protected admin section of one of my sites. The site’s using WordPress. What’s happening is when I access the admin section the .htaccess file in that directory isn’t executing. Well, it will throw errors but if all’s fine it passes back to my root .htaccess which then displays the 404 page. If I remove the .htaccess from my admin directory I can once again access my login page. Any ideas? I’m stumped.

  7. chris jar ~

    Hi,

    I encountered this problem.

    I have .htaccess file:

    AuthType Basic
AuthName "RestrictedFilesmain"
AuthUserFile "d:\Program Files\Apache Group\Apache2\htdocs\main\conf\c.htpasswd"
ErrorDocument 401 "ERROR_ 441 Authorization Required"
ErrorDocument 403 "ERROR_ 403 Forbidden"
ErrorDocument 404 "ERROR_ 404 Not Found"
Require user loggeduser
Require user chris

    and c.htpasswd file

    loggeduser:10144831511059024327
chris:a2wssd

    When I log in into the protected page for the first time I enter chris:a2wssd and I am allowed to enter the page. Next I change password in the c.httpasswd file into a2ws4ss. And I still have access to the page just using refresh button in my Firefox browser.

    It looks like the Apache server didn’t notice that I have change the password value in the mean time. What’s wrong? I need to stop immediately the access to the protected page by changing the password in the file.

    Regards chris

  8. Motosauro ~

    Thanks for the snippets, I pasted them into my blog since I tend to forget them very easily :)

    Just one question: why do you think it’s better to put ErrorDocument override in .htaccess files rather than vhost definitions?
    I place them in vhost definition files because they don’t ever change (almost). I guess it’s just a matter of personal taste though

    Thanks mate :)

  9. AskApache ~

    @ Fred

    Absolutely right. Thanks for the heads, thats a pretty big foul up on my part.

  10. Fred ~

    Regarding “Require password for 1 file only”, shouldn’t this:

    AuthName "htaccess password prompt"
AuthType Basic
AuthUserFile /home/askapache.com/.htpasswd
Require valid-user

    be this:

    AuthName "htaccess password prompt"
AuthType Basic
AuthUserFile /home/askapache.com/.htpasswd
Order deny,allow
Deny from all
Require valid-user

    Your example allowed anyone on in two of my systems because of lack of a deny clause. Adding the two lines solved it.

  11. Lauren ~

    I deactivated the plugin, tried to modify the .htaccess in wp-admin, but still cannot get into my admin panel. Help!!!!!!

Go for it!


It's very simple - you read the protocol and write the code. -Bill Joy

HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

Site Map | Contact Webmaster | Glossary | License and Disclaimer | Terms of Service

↑ TOP
Main