Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.
Apache uses a password file. Each user will have an entry in that file.
first step is creating a password file. Your website may already have one. You
might want to use that. The -c option creates a new file and deletes it
if it exists. I was lucky and it was already on my machine. However, I've
seen many messages in the mailing list which showed that some people were having trouble
creating it. I will eventually find out how to install this program. I found
Here's how I added dan as a user. You may have to supply the full path name as
shown above. You can always issue a locate htpasswd to find it.
$ htpasswd -c httpd_access dan
Adding password for dan.
Re-type new password:
The above creates a file httpd_access. Within that file you will find
something like this:
This contains the encrypted password I entered above (don't bother trying to crack it,
I made that string up). The contents of this file needs to be added to the AuthUserFile
as indicated by .htaccess. See the next section for more information.
Protecting the directory
The basis of directory protection within Apache is the .htaccess file.
Here is a working example to get you going. I added this file to a directory
I wished to protect.
require user susan
With the above configuration, only susan can get access to this directory. You an
also use groups or just all any user. The following statement would allow any valid
user access to the directory.
You also need the service.pwd and service.grp files. Here
are some examples (again, I made up these encrypted passwords):
If your AuthUserFile and AuthGroupFile already exist, you should use them.
Otherwise you can use these examples to create your own.
If you are adding a new user,
as in the previous section, you can just add the output from htpasswd to the end
One day I tried adding access restrictions to a whole website using the above
instructions. I had trouble. I kept getting the following error:
Internal Server Error
The server encountered an internal error or misconfiguration
and was unable to complete your request.
Please contact the server administrator, firstname.lastname@example.org
and inform them of the time the error occurred, and anything
you might have done that may have caused the error.
More information about this error may be available in the
server error log.
Apache/1.3.9 Server at myhost.mydomain.org Port 80
But I found no help in neither my access logs nor my error logs. Eventually I
read the manual entry for require
and discovered that my .htaccess file did not have an AuthType
directive. I added that in and all was well.
See also the symlink issues in the next section.
Symbolic links19 September 2000
If you have a symbolic link, sometimes that screws things ups. Let's assume /www
is symlinked to /usr/local/apache, and each of your virtual hosts is a
sub-directory in /usr/local/apache. You are trying to protect /www/mydomain/secret.
You should put your AllowOverride on /www/mydomain/secret, not /usr/local/apache/mydomain/secret.
Basically, use the pathname as found in the vhost declaration., regardless of any
A final word
In hindsight, I think this article assumes a bit too much. For example, it
assumes you already have the AuthUserFile and the AuthGroupFile. I suggest you read
the article http://www.sheamus.force9.co.uk/user/password.html
as well. It might give you enough. If it doesn't, add your comments.