In this article, I will demonstrate technique how to password-protect a directory for every IP except the one specified, and for the reverse case along with a wide variety of other useful password-protection tricks, including a few from htaccess tricks article. Before getting into the juicy stuff, we’ll talk a few basics of HTAccess password protection.
Which version of Apache you used
In each of the examples below, the directives are enclosed within the container. This is to prevent your server from crashing if the required Apache modules are not available or not installed. Generally, the required modules will be present, but the <IfModule> check is a good precautionary measure.
When implementing any of the password-protection methods in this article, make sure you double-check which version of Apache you are using before you begin. The examples in this article assume you are using either Apache 1.3 or 2.0, as the <IfModule> containers are checking for the presence of the mod_auth module. Thus, if you are running Apache 2.2 (or better), you will want to replace the current <IfModule> containers with the following:
If in doubt, ask your host, install the ShowIP Firefox extension, or dig around in your server’s control panel. And, if you just don’t know, don’t care, or can’t figure it out, just remove the opening and closing <IfModule> tags from the method you would like to use and call it good. Without them, if your server is not equipped with the required module, it will simply return a 500 error message, which is easily resolved by removing the password directives.
HTAccess password protection working with cascading fashion
Before we begin, there are a few things you need to know about Apache’s various password-protection directives. First, these password-protection tricks apply to the directory in which they are placed. For example, to password-protect your entire site, you would place one of these tricks in the web-accessible root HTAccess file for your site. HTAccess directives are applied down the directory structure, in cascading fashion, such that all subdirectories are also protected.
Make two files for password protection: htaccess and htpasswd
The second thing you need to know is that, in most cases, there are two parts to any password-protection implementation: the .htaccess file and the .htpasswd file. The .htaccess file will contain any of the sweet tricks provided in this article, while the .htpasswd file will contain the required username and an encrypted version of your password.
There are several ways to generate your .htpasswd file. If you are comfortable with Unix, you can simply run the “htpasswd” command. For example, entering the following command will create a working password file in the /home/path/ directory:
htpasswd -bc /home/path/.htpasswd username password
Placing the password file above the web-accessible root directory is a good security measure. If you examine the file after it has been created, the only thing it will contain is a line that looks similar to this:
Regardless of how or where you decide to create your .htpasswd file, keep its location in mind for use in its associated HTAccess file(s). And yes, you may use one .htpasswd file for multiple HTAccess files placed in multiple directories.
How to customize the dialogue on the password prompt
The last thing that you should know before diving into some sweet tricks is that you may customize the message shown on the password prompt by editing the following line in each of the examples in this article:
AuthName "Username and password required"
By changing the text inside of the quotes, you may use any language you wish for the password prompt.
At this point, we’re ready to dive into some juicy HTAccess password-protection tricks!
Basic password protection
To password protect your site or any directory, place this code in the associated HTAccess file:
# basic password protection <IfModule mod_auth.c> AuthUserFile /home/path/.htpasswd AuthName "Username and password required" AuthType Basic <Limit GET POST> </Limit> </IfModule> Require valid-user
That’s about as basic as it gets. Remember to create your password file and specify its directory in the first line. Let’s move on to something more interesting.
How to make Open-access for a single IP, password-protect for everyone else
This method is great during project development, where you want open access with the ability to give others access via password:
# password protect excluding specific ip <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Deny,Allow Deny from all Allow from 111.222.333.444 Satisfy Any </IfModule>
By placing that code into the HTAccess file of the directory that you would like to protect, only the specified IP will be allowed open access; everyone else will need to enter the proper username and password.
How to make open access for multiple IPs, password-protect for everyone else
The above code may be modified easily to provide multiple IPs open access while denying everyone else:
# password protect excluding specific ips <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Deny,Allow Deny from all Allow from localhost Allow from 111.222.333.444 Allow from 555.666.777.888 Satisfy Any </IfModule>
You may add as many IPs as needed. This method is great during project development, where the following conditions will apply:
- Project development remains private for regular visitors
- Project access may be granted to clients (or anyone) by providing the password
- Members of the development team have open access on their respective machines
In addition to providing unrestricted access to your team, you may also want to keep certain web services in mind by including the following directives (insert above the Satisfy Any directive):
Allow from validator.w3.org Allow from jigsaw.w3.org Allow from google.com
How to make open access for everyone with password-protect for specific IPs
This method is useful for a variety of situations, including cases where you would like to block a list of malicious IPs.
# password protect only for specified ips <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Allow,Deny Allow from all Deny from 111.222.333.444 Deny from 555.666.777.888 Satisfy Any </IfModule>
You may list as many IP addresses as necessary. You may also deny from entire IP blocks by truncating the address accordingly. For example, to block everyone coming from an IP address beginning with “999.888”, we would add the following directive:
Deny from 999.888
How to make open access for everyone with password-protect for specific CIDR number
Similar to the previous method, here is a technique for requiring a password only from a select CIDR number. This method is useful for blocking mega-spammers such as RIPE, Optinet, and others. If, for example, you find yourself adding line after line of Apache Deny directives for addresses beginning with the same first few numbers, choose one of them and try a whois lookup. Listed within the whois results will be the CIDR value representing every IP address associated with that particular network. Thus, blocking via CIDR is an effective way to eloquently prevent all IP instances of the offender from accessing your site. Here is a generalized example for blocking by CIDR:
# password protect only for specified CIDR <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd AuthType Basic Require valid-user Order Allow,Deny Allow from all Deny from 10.1.0.0/16 Deny from 80.0.0/8 Satisfy Any </IfModule>
How to make password protection for a single file
I have used this technique countless times. To password-protect a single file, simply adds this to your HTAccess file:
# password protect single file <IfModule mod_auth.c> <Files "protected.html"> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic </Files> </IfModule>
Here we are protecting a file named “protected.html” from access. The file will only be available after the submission of the proper username and password.
How to make password protect multiple files
To protect multiple files, the method is very similar, only this time we are using Apache’s FilesMatch directive. This allows us to list as many files as needed:
# password protect mulitple files <IfModule mod_auth.c> <FilesMatch "(protected.html)|(passwords.txt)"> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic </FilesMatch> </IfModule>
In this example, we are password protecting two files, “protected.html” and “passwords.txt”. To add more, simply include more instances of “|(filename.ext)” in the list of files.
How to make Password protect multiple file types
With this method, we are using Apache’s FilesMatch directive to password-protect multiple file types. Here is an example:
# password protect mulitple file types <IfModule mod_auth.c> <FilesMatch ".(inc|txt|log|dat|zip|rar)$"> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic </FilesMatch> </IfModule>
Once in place, this code will require a password for access to the following file types: .inc, .txt, .log, .dat, .zip, and .rar. Customize to suit your needs.
How to make Password protection for everything except a single file
This powerful technique for allowing access to a single file while password-protecting everything else:
# password protect everything except a single file <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic <Files "open-access.html"> Order Deny,Allow Deny from all Allow from 123.456.789 Satisfy any </Files> </IfModule>
When placed in the root directory or any parent directory, this code will password-protect everything except the file named “open-access.html”, which itself may be located in any subsequent directory or subdirectory.
To protect everything while allowing access to multiple files, we may use Apache’s FilesMatch directive instead. Here is an example allowing access to “open-access-1.html”, “open-access-2.html”, and “open-access-3.html”:
# password protect everything except specified files <IfModule mod_auth.c> AuthName "Username and password required" AuthUserFile /home/path/.htpasswd Require valid-user AuthType Basic <FilesMatch "(open-access-1.html)|(open-access-2.html)|(open-access-3.html)"> Order Deny,Allow Deny from all Allow from 123.456.789 Satisfy any </FilesMatch> </IfModule>
Note that we may consolidate the file list as follows:
An alternative approach to allowing open access to any file or group of files is to locate them in their own directory with the following directives added to its HTAccess file:
Allow from all satisfy any
As you can see, Apache’ mod_auth functionality makes it possible to configure just about the password-protection setup you may need. From preventing access from specific IP addresses and domains to allowing access only for specific files and directories, Apache makes it possible to protect your files easily and securely. And we haven’t even gotten into the many possibilities available for configuring specific user and group authorizations. I think I’ll save that for another article. In the meantime, for more information on Apache’s powerful mod_auth, check out the Official Documentation.