Web Page Protection on Apache Web Server
　

1. Use SSH to login to www.hku.hk or web.hku.hk, and change to the directory you want to protect.

    

2. Create (or update) the passwordFile for the purpose of access control by using the following command:


     htpasswd -c passwordFile username

where username is the name of a user account which will have the right to gain access to the restricted web pages.

    Example:

            htpasswd -c courseUsers otto

            Here the passwordFile is named as courseUsers.
            You will then be asked to enter a password for the user otto twice. (You should, of course, inform the user of   
            this username and password for him to gain access to the restricted web pages.)

　

3. Repeat the above step, i.e. step 2, to add more users, except that now you type

        htpasswd passwordFile anotherUserName
        (Note: no "-c" flag after htpasswd.)

   　

4. Change the permission of the passwordFile so that it can be read by others using the following command:

     chmod 644 passwordFile

     Example:

            chmod 644 courseUsers

　

5. To delete a user from the passwordFile, use an editor, e.g. pico or vi, to edit the passwordFile and delete the unwanted line corresponding to the user's name:

Example:

vi courseUsers

shows the following lines:

otto:38hi3sylap
billgate:v8302icd92

where otto and billgate are two authorized users' names (their corresponding passwords are encrypted). You can delete either one or both of the lines to remove the user(s) from the authorized user list (i.e. the password file).

 

6. To put web page access control into effect:

Create a file called .htaccess in the directory under which the files and its sub-directories are to be accessible only by the authorized users specified in the User Password file discussed above.

Example 1

Suppose the full path name of the passwordFile is /user3/otto/courseUsers and the full path name of the directory of the web page files which require access control is /user3/otto/dir1/.

The file /user3/otto/dir1/.htaccess should be created and it should contain:
 

AuthUserFile /user3/otto/courseUsers
AuthName HKU
AuthType Basic
require valid-user

Make sure that the full path of the passwordFile is specified in the .htaccess file.

Please note that the keywords AuthUserFile, AuthName, AuthType and require, and their assigned values must be on the same line. The value valid-user specifies all users in the password file.

Also, change the permission of the file .htaccess so that it can be read by others using the following command:

chmod 644 .htaccess

When a user views a web page file under the directory /user3/otto/dir1/, the web server will authenticate the user's access to the web page by means of his username and password in the password file /user3/otto/courseUsers.

Example 2

The file /user3/otto/dir2/.htaccess contains

AuthUserFile /user3/otto/courseUsers
AuthName HKU
AuthType Basic
require user apple otto

Please note that the keywords AuthUserFile, AuthName, AuthType and require, and their assigned values must be on the same line. The line "require user apple otto" specifies that only the user apple and otto can access the directory even the password file '/user3/otto/courseUseres' contains other users.

• If a user browses a web page which is set up with access control by means of username, a login window will come up and the user will be asked to type in his access-control username and password. Only authorized users can gain access to such restricted pages.
• Access control applies to the directory which contains the file .htaccess and all its files and sub-directories. If you want to set up controlled access function for the web pages in another tree of directories, you need to copy the file .htaccess to the parent directory of that sub-tree of directories. However, only a single passwordFile is required for the same group of authorized users.