note: taken from UVM

The * following the "allow from" signifies that all other hosts and IP addresses are denied access.

Password Restriction

Password restriction allows you to specify a username(s) and password(s). The username(s) and password(s) can be distributed to people for whom you wish to grant access. This type of protection is good for those who have sensitive information to post on the Web that is targeted to a specific audience, members of which who are not part of the UVM community.

To password-protect pages, your .htaccess file would contain the following:

<Files *>
AuthType Basic
AuthName "My Page"
AuthUserFile password-file
require valid-user
</Files>

The * designates all the files in the directory containing the .htaccess document. Specific files in the directory can also be individually by listing the file name in lieu of the * (it is also possible to use pattern matching, for example, red* would apply restriction to all files that start with red). (Note: if you are using the UVM template, you will be confined to directory level restriction.)

The My Page should contain the text you wish to appear in the window that pops up when someone comes to the password-protected page. They will get a message in the window, "Enter username for My Page at www.uvm.edu:".

The password-file is the full path to a file you will create containing all your usernames and passwords.

You can further restrict access by using the following command in lieu of the require valid-user line:

require user username1 username2

In this case one can allow access to a limited set of usernames from your password-file.

Telnet to Create a Password-File

To create a password-file, Telnet into the directory where you wish the file to live (for security reasons, it is best if this directory does not match that of your .htaccess and restricted Web page files). Type the following command:

htpasswd -c password-file username

You will now be prompted to enter a password and verify that password. Subsequent usernames can be added, but do not use the -c (create) command:

htpasswd password-file username

Note the full path to use in the AuthUser File in your .htaccess file. It should read something like this:

/home/jsmith/misc

You also need to set execute permissions for everyone to this file, as you would for the magicscript. The .htaccess file permissions should be set as you would any Web page or image file.