Restricting extranet access

by Steve Blass

February 12, 2001 —

We need to restrict access to part of our hosted extranet Web server using logon IDs and passwords. The hosting service uses Apache Web servers. The documentation says we can set up Apache to require passwords for our Web pages by using .htaccess files and htpasswd. We can upload files and log on using Secure Socket Shell, but need help configuring the site to require passwords.

If the Apache Web server software is configured by your provider to allow directory-level user access control using Basic Authentication, you can control access to pages in your site by placing a .htaccess file in each protected directory. If you call it DOThtaccess on your Windows system, you can use the FTP command "put DOThtaccess .htaccess" to upload it to the Unix host running Apache. A .htaccess file is shown here:

AuthType Basic

AuthUserFile /path/To/myUsers.htpasswd

AuthName "mySpace Name"

Require valid-user

When the Web server finds this file in a directory, it will restrict access to users whose passwords are stored in the AuthUserFile listed. Use the htpasswd command from your Web host shell account to create the password files referred to in the .htaccess files. Create the first account with the command "htpasswd -c myFile first user". Additional users are added with the command "htpasswd myFile nextuser".

Network World