How do I password-protect my LPL web page?

This page describes how to place directories on your personal web page under password protection on the LPL systems. In addition, we encourage you to read through the appropriate Security Tutorials on the Apache site for more details.

Suppose you have your personal web page in your public_html directory (~/public_html) which can be reached at the web address of http://www.lpl.arizona.edu/~username. Within that webpage, you have a directory called secured (reachable viahttp://www.lpl.arizona.edu/~username/secured) that you would like to place password protection on, such that anytime someone tried to go to http://www.lpl.arizona.edu/~username/secured they would be asked for a username and password or the webserver wouldn't let them see it.

In order to accomplish this, you need to create two files: a password file that contains user information and an access file that the webserver looks for to instruct it how to do things.

First, you need to create that password file by running the htpasswd command. This command is installed on the LPL webserver at /usr/local/apache/bin/htpasswd, but only the root user can execute this program. When you are ready to have it run, send email to sys to request this.

The htpasswd command will create a password file called ~/public_html/secured/.htpasswdWARNING: DO NOT use your system password for this password. The password file that you are generating for use with your webpages is in your directories and is not as secure as the system password file. If you use your system password for this, your system account might get hacked.

Once you have the password file, you need to create the access file. This access file must be named .htaccess (with the leading period), otherwise the webserver won't be able to find it (just like your web pages must be in a directory called public_html). Use our favorite text editor to create and edit a file in our ~/public_html/secured directory called .htaccess, and in it, inserting the following lines:

AuthType Basic
AuthName "My Secured Area"
AuthUserFile /home/username/public_html/secured/.htpasswd
require valid-user

Now with both the .htpasswd and the .htaccess files, whatever directory they are in (and all of that directory's sub-directories) are now under password protection by the webserver.

There is a lot of functionality for this kind of security mechanism, and we highly suggest that you read through the Security Tutorials on the Apache site for a complete treatment of these issues. The level of security afforded by this method is adequate, but not high. If you have data that you feel requires a greater amount of protection or you have different authorization requirements, please consult

LPL Webmaster / webmaster

for more information.