How to use Apache .htaccess .htpasswd to protect files, folders and paths and to protect multiple files, multiple folders and paths

Keywords: Apache, .htaccess, .htpasswd, block access, protect file, protect folder, protect directory, protect path

If we have following folders

/web/resource1/file1.htm
/web/resource1/A/
/web/resource2/file2.php
/web/resource2/B/C/D/
/web/resource3/E/F/

and Following url path

https://www.example.com/
https://www.example.com resource1/file1.htm
https://www.example.com/ resource1/A/
https://www.example.com/ resource2/file2.php
https://www.example.com/ resource2/B/C/D/
https://www.example.com resource3/E/F/ https://www.example.com/secret

The document root for “https://www.example.com/” is “/web/”

Path secret is a virtual path which does not reflect to a real directory with name “secret” (e.g. an existing rewrite rule in .htaccess)

Now we want to protect file “file1.htm” directory “D” and directory “E”, “F” and virtual path “secret”

1.1 We need to create a .htaccess file under “web” directory

1.2 Open the .htaccess file, we need to add following contents for protecting files

#Protected file
<Files file1.htm>
#Password file path
AuthUserFile /web/.htpasswd
#Message for user to see
AuthName "Password protected"
AuthType Basic
#(If only allow specific user, use "require user username" if allow all valid users use "Require valid-user")
require user username
</Files>

Note: if dealing with multiple files, filesmatch should be used.

<FilesMatch "file1\.htm|file2\.php">
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
require user username
</FilesMatch>

Tip: Targeting files start with abc or def and end in .php

<FilesMatch "^(abc|def).php$">
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
require user username
</FilesMatch>

1.3 We add following content to protect directories and the virtual path (We can use this method to protect multiple sub-directories/sub-folders/paths)

#Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/ resource2\/B\/C\/D require_auth=true
SetEnvIf Request_URI ^/ resource3\/E require_auth=true

#Auth stuff
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic

#Setup a deny/allow
Order Deny,Allow
#Deny from everyone
Deny from all
#except if either of these are satisfied
Satisfy any
#1. a valid authenticated user
Require valid-user
#or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

https://stackoverflow.com/questions/14603568/password-protect-a-specific-url

1.4 We create a .htpasswd file under “web” directory

1.5 Open the .htpasswd file we add following contents (File contains username:hashed user password)

user1:$apr1$MknR4YQ8$ls4RTpNIxaJWyedBK5m030
user2:$apr1$FtfabsVg$NoxTA07DDeGhSOYT9NMLF/

These password can be generated using htpasswd with following command:

$  sudo htpasswd -c /web/.htpasswd user1

(You will need to supply and confirm the password for the user)

$ sudo htpasswd /web/.htpasswd user2

Another way to protect current directory:

e.g. If we want to protect directory “A”

2.1 Creat a .htaccess file under in directory “A”, so we have “/web/resource1/A/.htaccess”

2.2 We add following content to the file

<Files ~ "^.(htaccess|htpasswd)$">
deny from all
</Files>
AuthUserFile /web/resource1/A/.htpasswd
AuthGroupFile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user 
order deny,allow

2.3 We create the .htpasswd file under “/web/resource1/A/”, so we have “/web/resource1/A/.htpasswd”

2.4 We generate password as in step 1.5 (We need to change path from “/web/.htpasswd” to “/web/resource1/A/.htpasswd”)

Now the directory “A” is protected


Tips:

1 We can use online .htpasswd generator to create password for convenience

https://www.htaccesstools.com/htpasswd-generator/

https://www.web2generators.com/apache-tools/htpasswd-generator

https://www.askapache.com/online-tools/htpasswd-generator/

https://htmlstrip.com/htpasswd-generator

https://www.mobilefish.com/services/htpasswd_generator/htpasswd_generator.php

2 We can use online tools to generate .htaccess for convenience

https://www.htaccessredirect.net/

https://hostingfacts.com/htaccess-generator/

https://makeawebsitehub.com/htaccess-generator/

Leave a Reply

Your email address will not be published. Required fields are marked *