Campuses:
More Web Publishing Information
These steps really have to be performed from the Unix command line. Please also note that preparing files in a non-unix text editor (Windows or Mac) may not work as expected due to the different line break characters used.
1. Create a file named .htaccess in the directory you wish to protect, that looks similar to the following.
AuthType Basic AuthUserFile /home/lemming/htpasswd AuthGroupFile /home/lemming/htgroup AuthName Private <Limit GET POST> require group private order allow,deny allow from all </Limit>
<note> NOTE: Make sure your htpasswd and htgroup files are outside of the public-html directory, so they can't be downloaded using the web server. In this example, the home directory is /home/lemming, and we put the password and group files here as they will be inaccessible via the web. The word “private” above is the group name we are going to use (you can name it what you want). </note>
2. Create your htpasswd file using the htpasswd command, in the directory you specified above in .htaccess.
htpasswd -c passwd_file user_name
eg,
htpasswd -c /home/lemming/htpasswd username1
The above command both creates the password file and adds the first user name to it. You should be prompted for a password for the user. You can add further users to the password file using the same command but without the -c switch.
<note> Don't use the same password as you use for your Physics account or UMN internet account - the personal or group web pages do not use a secure connection, so the password isn't as safe against snooping as most other logins. </note>
3. Create your htgroup file (using a text editor). It should look something like:
private:username1 username2
<note> NOTE: The group name “private” needs to match the specified group name in the .htaccess file (step 1 above) in the “require group private” line. </note>
It's also possible to restrict access according to the clients location. For example, you could restrict a directory to be accessed only from within .umn.edu using a .htaccess file like this:
<Limit GET POST> order deny,allow deny from all allow from .umn.edu </Limit>
You can also restrict access to our department only, but you have to list all the domain names in use here (e.g., hep.umn.edu, space.umn.edu, astro.umn.edu, etc). Note that restricting access in this way doesn't give full security, as it's possible to spoof the domain name… although for most purposes it should be “good enough”.
If you're working on your pages locally, it may be difficult to test your access rules, to make sure they are working! One way you can do a partial test is to give your protected URL to a web validation service (for example, the W3C validator). If the access control is working, the validator will report not being able to check the page.