Web Access Control

You can add simple password protection to a set of pages by adding a file named .htaccess to the containing directory. Be aware that unless pages are served using HTTPS, usernames and passwords will be sent unencrypted, and so this should not be relied upon for anything requiring actual security.

A basic .htaccess file might look like the following:

order deny,allow
deny from all
allow from 194.36.1

AuthType Basic

AuthUserFile PATHNAME/htpasswd.users
AuthName "Internal User"
require valid-user
satisfy any

<Files htpasswd.users>
    deny from all
    satisfy all
</Files>

Options All

This refers to a password file named htpasswd.users, which is assumed to be in the same directory as the .htaccess file (hence the inclusion of a <Files> block to protect this file). In this example, users with IP addresses starting 194.36.1 are allowed to access without providing a password, while all other users will be prompted for a username and password which will be tested against the contents of the htpasswd.users file.

The htpasswd.users file can be created using the LInux htpasswd command (more information can be found in the htpasswd documentation). You should not use PPE usernames and passwords when creating this file; as there is no real security, passwords should be considered disposable.