Setting up a password protected area on joisey.whatexit.org

Initial setup

Create the subdirectory that will be password protected.

      mkdir ~/public_html/blah/blah/blah

Request .htaccess be enabled for the directory

Send email to "tal" saying that you want a particular directory to be password protected. It's possible to have only specific files in that directory require a password, but I haven't done that yet, so if you figure it out please edit this page with detals.

The email should say something like: "Hi! I'd like Apache to ask for a password for directory ___________ as the WhatexitHtAccess page describes."

Change the apache configuration

To do this, tal will first issue these commands as root:

chown USER:USER /home/USER/the/directory
touch /home/web/sec/passwd.USER
chown USER:USER /home/web/sec/passwd.USER

Then add this to the apache configuration file /home/web/conf/httpd.conf:

<Directory "/home/USER/public_html/pages/protected">
        AuthName "USER Secret Stuff"
        AuthType Basic
        AuthUserFile /home/web/sec/htpasswd.USER
        require valid-user
</Directory>

Adding users

1. Log into the shell
2. htpasswd -b /home/web/sec/htpasswd.amq USERNAME PASSWORD

Resetting a user's password

Do the same thing as "adding users"

Deleting a user

Edit the htpasswd.FOO file and remove the user

TODO

It is possible to let the user have more control. Basically, one enables apache so that when dealing with a particular directory, if there is a .htaccess file then it is read and used as if those commands were included in Apache's configuration (just for that directory). It's secure, because you can say, "Ignore the .htaccess file if it has anything other than the following comands..." but for some reason I don't tend to use this feature. Maybe I should. I'll have to think about it.

-- TomLimoncelli - 30 Sep 2003