Protect web folders with Apache htaccess authorization
Some web hosts provide tools to protect folders (directories) on their web servers. Some don't, but if you have root access to the virtual host, you can create your own htaccess protection files.
Let's assume you have an osCommerce site and you want to lock down the /admin/ directory to prevent someone from clobbering your store. Here's how:
osCommerce usually installs in a directory called "catalog" so the directory path to admin is usually something like: /home/user/public_html/catalog/admin
We need to first have root access and also have the host configuration set to allow the use of htaccess to control access. Then we create a user/password file in a safe location on the server, and finally create the htaccess file that forces authentication to access the store's admin module:
- Confirm the host Apache server has "AllowOverride AuthConfig" set for this domain.
- Log in to the host server and "su" to root.
- Move into the domain root (not the document root; one level above that -- for instance if your domain document root is /home/user/public_html then the domain root is /home/user)
- Create a passwdfile using the htpasswd command:
# htpasswd -cb osc_users yourname yourpass
(the "-cb" means create a new passwdfile, and take the password from the command line)
- Set the permissions on the passwdfile:
# chmod 644 osc_users
- Move into the admin directory:
# cd /home/user/public_html/catalog/admin
- Edit the existing .htaccess file that comes with osCommerce, adding this to the end of the file:
- Restart the Apache webserver:
# /etc/rc.d/init.d/httpd restart
You should now get a standard Apache "username/password" log in menu when you point your browser to the admin directory. If you enter your name and password, you should get the osCommerce admin module index page.
- You get a "Server configuration error - 505" or similar.
- Your host is not set to allow htaccess files. Get in touch with the sysadmin and have them enable it for you.
- You get a "Access forbidden..." message.
- Your server is not set up to allow authorization configuration by htaccess. Your domain must have the "AllowOverride AuthConfig" directive set.