I'm a little confused about the way you're going about things here. Is it that you want to protect a whole directory structure with
a username and password, or do you want to protect each of thousands of directories with different usernames and passwords? Protecting one directory would protect all directories below it (e.g. protecting
private/ will also protect
private/quotes/ and
private/orders/).
Code:
<Directory "/srv/www/htdocs/dir">
AllowOverride All
Options Indexes
Order allow,deny
Allow from all
AuthUserFile /srv/www/htdocs/dir/.htaccess
</Directory>
A few issues here:
- It's missing an AuthType [Basic|Digest] directive
- It's missing an AuthName directive
- It's missing a Require directive
- Using .htaccess files (which is enabled with AllowOverride All) for most directories is only a good idea if you do not have access to the main config files (it can sap performance of the server).
- .htaccess files are not normally the AuthUserFile - and the AuthUserFile should not be in a publically accessible directory. The file created using htpasswd - should be stored above the document root.
The section should read something like:
Code:
<Directory "/srv/www/htdocs/dir">
AllowOverride None
AuthType Basic
AuthName "My Private Directory"
Options Indexes
Order allow,deny
Allow from all
AuthUserFile /srv/www/.htpasswd
Require valid-user
</Directory>
Using AuthType Digest provides further security, by hashing the username and password before transmission (though
a few more changes would be needed as well). The Require statement can instead list a number of users from the AuthUserFile, rather than valid-user (= all users). See
here for more.
If you do decide you want to go with .htaccess files, you would need to include the essential directives shown above (AuthType, AuthName, AuthUserFile and Require) within
<Limit... > ... </Limit> tags, within that file (at the root of each branch you want to protect).
Hope this helps,
Rob
