Top Menu

Advanced Password Protection (Unix only)

For easy-to-use password protection, click on Password Protection in myCP. Detailed instructions here.

Basic Site Password Protection (recommended for a 100 or less total users)

DBM-based Password Protection (recommended for over a 100 users/high volume sites)

Referrer Based Protection (where access needs to be restricted only from authorized site links, such as those on your site)

HTAccess Basic Site Password Protection

You can password protect directories of your web site, so only users with a given username and password can access that directory and files within it. The most popular method used is HTAccess, as described below.

Single User Protection:

1. Create the directory your want to password protect in your public_html (example: membersonly)
2. Create a file .htaccess in that directory that looks similar to:


AuthUserFile /homeX/domain/.htpasswd
AuthGroupFile /dev/null
AuthName "Private Area"
AuthType Basic

<Limit GET>
require user myfriend
</Limit>

3. Create the password file /homeX/domain/.htpasswd using the program /usr/local/bin/htpasswd
   
   To do this, log into your account via Telnet and type:
   
   htpasswd -c .htpasswd myfriend
   
   
4. When prompted, enter the password for that user.
   
5. Now try to access a file in the protected directory by entering the set username and password when prompted for it.
   
6. If you add additional users, make sure to use htpasswd without the -c flag, which is used to create a new file.

 

1. Create your directory in public_html (example: membersonly), to contain the protected files.
2. Create a file .htgroup in your root directory that contains the group name and list of users:
   
   member-users: user1 user2 user3
3. Modify .htaccess, so it looks similar to:
   
   AuthUserFile /homeX/domain/.htpasswd
   AuthGroupFile /homeX/domain/.htgroup
   AuthName "Members Area"
   AuthType Basic
   
   <Limit GET>
   require group member-users
   </Limit>
   
4. Create the password file (.htpasswd) using the program htpasswd for each user (as above in part 1) You don't need the -c option if you are using the same .htpasswd file (-c is used to create a new file).
   
   htpasswd /homeX/domain/.htpasswd user1
   htpasswd /homeX/domain/.htpasswd user2
   and so on...
   
5. Remember to add any new users to the .htgroup file.
   
6. Now try to access a file in the protected directory by entering the set username and password when prompted for it.
7. If you add additional users, make sure to use htpasswd without the -c flag, which is used to create a new file.

Keep in mind that all files should have a blank line at the bottom and to always use the full path to your configuration files.

For further details, please refer to the Authentication Tutorial from NCSA.

DBM-based Site Password Protection

If you will have more than a hundred users, we recommend that you use DBM-based authentification, to speed up user login process.

DBM Authentification Set-Up:

1. create your password-protected directory inside public_html (eg. cd public_html ; mkdir directory).

2. create the directory where the password files will be stored inside your ROOT directory (NOT public_html for security purposes; eg. cd ~ ; mkdir access).

3. in the protected (in public_html) directory, create an .htaccess file.
Example:

AuthDBMUserFile /home3/yourdomain/access/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Area"
AuthType Basic

require valid-user

4. In the access (not in public_html) directory, do
ln -s .htpasswd .htpasswd.pag
and then
ln -s .htpasswd .htpasswd.dir

5. Then use dbmm program (/usr/local/bin/dbmm).
to add users, use the command:
dbmm /home3/yourdomain/access/.htpasswd adduser username password
for more details, run dbmm without any arguments and it will give you the further usage details.

If you would like to use group-based access control as well (the above is plain user based, though you can add as many users as you wish), please follow the further Apache instructions (create a group db file, or combine then as in the instructions there).

Keep in mind that all files should have a blank line at the bottom and to always use the full path to your config files.

Referrer Based Protection

1. Create the directory you want to protect access to based on referrers your public_html (example: restricted)

2. Create a file .htaccess in that directory that looks similar to:

AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://yourdomain.com/restricted/
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com/restricted/
RewriteCond %{HTTP_REFERER} !^http://yourdomain.com/
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com/
RewriteCond %{HTTP_REFERER} !^http://authorizedlinksite.com/
RewriteCond %{HTTP_REFERER} !^http://www.authorizedlinksite.com/
RewriteRule /* http://www.yoursite.com/restricted/index.html [R,L]

where yourdomain.com is your domain and authorizedlinksite.com is a site that can link to your restricted directory. There can be no, or multiple, such authorized link sites. Note that the trailing slashes (/) are important and must be included.

3. Now try to access the authorized directory from a link on your site, from a link on the authorized site(s), if any, and, if possible, from a link from an unauthorized site (to ensure that it is restricting access properly). The latter test can be conducted using a link from a sub-directory of your site (eg. http://www.yourdomain.com/somedirectory/) that is not listed as a valid referrer as well.