password protecting a webpage

jonfa · 03-20-2002, 11:41 PM

Hi All,

I am running Redhat 7.2 and currently have a website on my machine in (/var/www/html/index.html...). What I want to do is password protect a webpage within my website and not the entire page. Is this possible? Any Ideas? Thanks.

Jon

jayakrishnan · 03-20-2002, 11:53 PM

Put the secret file(s) in a directory, and use .htaccess file to protect that directory

jonfa · 03-21-2002, 12:32 AM

Thanks for the reply. Here's what I did:

1. created /var/www/html/protected/ (where "protected" is the directory where my files will be)

2. created a test webpage in the protected directory and did: chmod a+r filename.html

3. created .htaccess file in the protected directory and added the following :
AuthName "Enter Password"
AuthType Basic
AuthUserFile /root/password
require valid-user

4. I then did: chmod 755 .htaccess

5. Under /root I ran: "htpasswd -c password username" and "Chmod 755 password"

It didn't work. What am I missing? Thanks

Jon

Mik · 03-21-2002, 03:55 AM

Well what you did is right. There is just one problem. In most cases apache is run as the user/group nobody/nogroup. So you'll have to give that user read permission to the password file. The /root directory is only for root so no other user can read files in that directory. So it would be best to put the password file in a different location and make sure that the user you run apache as has permission to at least read the password file.

Just another thing 755 isn't very safe for the password file. You might want to try something like:

chown root.nogroup passwordfile
chmod 640 passwordfile

jonfa · 03-21-2002, 11:25 AM

Hi,

I moved the password file from /root to /home/someuser. I then executed the following:

chown root.apache passwordfile
chmod 640 passwordfile

Still no luck. Not sure if my "root.apache" is correct?

Jon

Mik · 03-22-2002, 06:26 AM

What does it say in the httpd.conf file for User and Group? Mine says nobody and nogroup. That user should have permission to read your password file.

The commands I told you to run make the owner of the password file root and the group nogroup or in your case apache. Then the chmod gives the owner read and write permissions and the group only read permissions.

Since you put it into the directory /home/someuser then you would also have to make sure that the user that runs apache has read and execute rights in that directory.