Password Protect Apache
One method of doing this is with .htaccess files. When your server goes to serve a page, it looks in the top directory for an .htaccess file, and then checks each sub-directory down to and including the directory that holds the requested page. So if you place an .htaccess
file in the top directory of your server pages folders, you will
protect all the files in your domain. Read on to see how I used this to
protect my home site.
Let's assume that your username is foo,
and that your web server files are in the default OS X location,
/Library/WebServer/Documents. You need to do the following from within a
terminal session. I'm going to use vi as the editor, but pick your personal favorite.
cd /Library/WebServer/Documents
vi .htaccess
Insert the following lines in the new file:
AuthUserFile /Users/foo/webstuff/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
<Limit GET>
require user username
</Limit>
Notice that the first line references a file outside the web server's structure.
In this case, I used a folder called "webstuff" in foo's user
directory. You could also add group restrictions, but in this case, I'm
just protecting for users ("username" in the sample). Obviously,
replace this with the real user name you'd like to use. You can also
limit the users to actions other than GET, ie POST or PUT for cgi-bin
files. Just add them (with a space between) to the "Limit GET" line.
Next, you need to create a password for username in the location you specified. The htpasswd program will do this for you:
htpasswd -c /Users/foo/webstuff/.htpasswd username
You will be prompted to enter the password twice.
New step added The last thing you need to do is to edit the "apache.conf" file. From a terminal session, using your favorite editor, edit:
/Library/WebServer/Configuration/apache.conf
You want to find the section that looks like this:#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", None or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
AllowOverride None <<<<<<change to "AllowOverride All" >>>>>
Change the last line to read
AllowOverride AuthConfig
I had to change the following line in apache.conf from "AllowOveride
None" to "AllowOverride All" to get this to work. Now everything works
as advertised.
#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", None or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
(You
can read the comments if you want a brief explanation of what this
does). Save your changes, and restart your webserver. The easiest way
to do this is in the terminal
apachectl restart
That should do
it; after completing these steps, you will be required to enter your
chosen username and password before opening any page on your site. You
can use variations in certain subdirectories to further control access.
For example, if you put the .htaccess file in a subdirectory
named "vipstuff," then anyone could browse your site password-free,
until they requested a page in the "vipstuff" directory.
#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", None or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
AllowOverride All