Indiana University Bloomington

School of Informatics and Computing


Q: How do I limit access to my web pages with a password?

Please Note: This FAQ entry describes a mechanism to limit access to web pages via the web server. If you also want to prevent access by people with local CS accounts, you MUST take extra steps to prevent access via the local filesystem. Please see the corresponding FAQ entry for more information.

Let's say you want to require a user to know a password to access a web page but you don't want to use the UITS Network ID and password as described in that FAQ entry. You might want to do this if the people who need access are not affiliated with IU or if you want to create a single password to be used by several people to access the pages.

As an example, let's say I want to allow access to users jane and joe, with passwords janepw and joepw, respectively. First, you must create a password file for the access. This file contains one line per user of the form:


The easiest way to create this password file is using the htpasswd command. To create the password file /u/robh/passwords/project1 and add the user jane, you would run:

htpasswd -c /u/robh/passwords/project1 jane

You will be prompted for the password. If you want to add additional users, you just rerun the htpasswd command without the -c (create) flag. For example, to add an entry for joe:

htpasswd /u/robh/passwords/project1 joe

Alternatively, you could use the cryptit command to generate an encrypted password. Using the current example:

% cryptit janepw
Encypted version of janepw = XDLQPSf.S0z4E
% cryptit joepw
Encypted version of joepw = XD7FW.bG2qz6s
So, we would create a password file with the following contents:
You can call this file anything you want. For this example, let's call it /u/robh/passwords/project1.

Next, create a .htaccess file in the directory you want to protect that contains:

AuthUserFile /u/robh/passwords/project1
AuthGroupFile /dev/null
AuthName "Project 1 Authentication"
AuthType Basic

require user jane joe

The path you need to use for the password file used in the above AuthUserFile line depends on what accounts you have. If you have a CS Sharkestra account and that's where your password file lives, you can just use /u/username. If you only have a Burrow account, you will have to use /nfs/nfs1/u/username.

Note that the mechanism shown here will result in cleartext passwords being transferred across the network if you use http:// URLs. To prevent this from happening, create a file called .htaccess_nonssl in the same directory as the .htaccess file and put the following line in that file:

deny from all
This will require you to use secure urls of the form https:// in order to access the pages. If you want to redirect http access to https instead of denying them, you can use the following in the .htaccess_nonssl:

Redirect permanent /

If you are using the cgi server (via cgi-pub) instead of the web server then you will have to do the redirect slightly differently:

Redirect permanent /~username

Also note that your password and .htaccess files must be readable by the www user. This generally means that the files must be world readable. If you need to limit access to these files so they are accessible by the web server but not by users with local CS accounts, please see the associated FAQ.

See an error in this FAQ entry? Please report it.

[Return to the FAQ index]