More Web Publishing Information
These steps really have to be performed from the Unix command line. Please also note that preparing files in a non-unix text editor (Windows or Mac) may not work as expected due to the different line break characters used.
1. Create a file named .htaccess in the directory you wish to protect, that looks similar to the following.
AuthType Basic AuthUserFile /home/lemming/htpasswd AuthGroupFile /home/lemming/htgroup AuthName Private <Limit GET POST> require group private order allow,deny allow from all </Limit>
2. Create your htpasswd file using the htpasswd command, in the directory you specified above in .htaccess.
htpasswd -c passwd_file user_name
htpasswd -c /home/lemming/htpasswd username1
The above command both creates the password file and adds the first user name to it. You should be prompted for a password for the user. You can add further users to the password file using the same command but without the -c switch.
3. Create your htgroup file (using a text editor). It should look something like:
It's also possible to restrict access according to the clients location. For example, you could restrict a directory to be accessed only from within .umn.edu using a .htaccess file like this:
<Limit GET POST> order deny,allow deny from all allow from .umn.edu </Limit>
You can also restrict access to our department only, but you have to list all the domain names in use here (e.g., hep.umn.edu, space.umn.edu, astro.umn.edu, etc). Note that restricting access in this way doesn't give full security, as it's possible to spoof the domain name… although for most purposes it should be “good enough”.
If you're working on your pages locally, it may be difficult to test your access rules, to make sure they are working! One way you can do a partial test is to give your protected URL to a web validation service (for example, the W3C validator). If the access control is working, the validator will report not being able to check the page.