Web Access Control

Any set of page(s) can be protected by a simple password by using an .htaccess file. This file should be placed in the directory containing the files or directories that need to be protected. For example:

order deny,allow
deny from all
allow from 194.36.1

AuthType Basic

AuthUserFile /data/www01/somearea/htpasswd.users
AuthName "Internal User"
require valid-user
satisfy any

<Files htpasswd.users>
deny from all
satisfy all
</Files>

Options All

In this example any user from the subnet 194.36.1.x is allowed access to the file(s) or directories in the directory where the .htaccess file is placed. If any user not within the 194.36.1.x subnet tries to browse this area then they will receive a dialog box entitled Internal User asking for a username and password. If the user name and password matches one in the file /data/www01/somearea/htpasswd.users then the user will be allowed to view the web pages.

Notice that the /data/www01/somearea/htpasswd.users in this example is assumed to be in the same directory as the .htaccess file such that the .htaccess protects the htpasswd.users file. The htpasswd.users can be created with the LINUX command htpasswd. This command is available on all LINUX desktops. When generating this file, DO NOT pick a user name which suggests users should use their LINUX username and password. The username and password exchanged during authentication is not encrypted, and therefore could be sniffed.

-- AndrewPickford - 25 Jan 2009