At work we are having to move one of our clients from a Windows Server to a Debian Server. Moving the website was easy enough, but we have to lock down directories for specific users to access. To do this on the Windows Box they had previsouly spent $300 on something called Authentix…. to get it working on the Debian machine just required a text editor and some Apache knowhow.

Each directory that needs to be locked down just need a .htaccess file which overrides the directives that are set in the globabl httpd.conf file. You can override any directives for a specific directory using a .htaccess file.

The first line of the file is:

Options -Indexes

This prevents any users from listing the contents of the directory, then we get onto the access restrictions:

## Basic Authentication Realm
AuthName “Directoy Login”
AuthType Basic
AuthUserFile /home/username/.htpasswd
require valid-user

AuthName is the text that will be displayed on the login box, AuthType Basic sets teh type of authentication we want (obvious really!!). AuthUserFile is the location of the file that holds the user names and passwords for the users who are allowed access. Make sure this file is kept outside of the web servers root directory to prevent it being browsed. Entries in the file take the form of username:encrypted password. This website has a page that will generate entries for the .htpasswd file. The final line, require valid-user, ensures that any user that is listed in the file is allowed access. It is possibto specify individual users from the file for access to the site.

Save the .htaccess file in the directory that needs to be protected and assuming that the AllowOverrides directive is set then the directory will become unaccesible straight away.