Web Space Password Protection - Is It Possible?

Web hosting, FTP/database access, mirror services and hosted blogs
Post Reply
csouter
Posts: 156
Joined: Fri Apr 09, 2004 6:37 pm
Location: Homebush West, NSW, Australia

Web Space Password Protection - Is It Possible?

Post by csouter » Wed Dec 02, 2009 12:50 pm

Hi, everyone!

I'm just wondering if anyone knows whether or not it's possible to password-protect
the free 200MB web space provided to me by Exetel under my ADSL2+ plan.

I don't mean the FTP access, (I quite realise that FTP access is already password-protected).
I mean protecting the webspace from being viewed in a browser, using HTTP protocol.

For example, is there some kind of script I could insert into index.html that would
prevent casual surfers or bots from accessing the page, (or any other page or subdirectory
on the site, for that matter), without a valid user name and password?

Also, assuming that such scripts exist, how would one then go about creating a list
of user names and passwords for the site?

One final question: Does the Exetel Web Server allow such protection to be
implemented by the user?

Any information (especially "how-to" info), would be greatly appreciated!

Thanks in advance!

Best regards to all,
Christopher (Chris) Souter
(Sydney, Australia)

JeremyP
Posts: 159
Joined: Wed Dec 13, 2006 2:22 pm
Location: Newcastle NSW

Re: Web Space Password Protection - Is It Possible?

Post by JeremyP » Wed Dec 02, 2009 1:43 pm

Yes this can be done with the help of .htaccess and .htpasswd files.

In order for you to do this, you will need to create a file named 'htaccess' on your computer.
The contents of this file should be similar to this:

Code: Select all

AuthType Basic
AuthName "Password Required"
AuthUserFile /home/freeweb/web/<yourwebspacename>/public_html/.htpasswd
Require User <user.you.created>
You then create a file called "htpasswd" on your computer and then browse to http://www.htaccesstools.com/htpasswd-generator/ and type in the username and password you want to have and click the button.

That then generates an output which you copy into "htpasswd".

Make sure you have this user entered in the "Require User ..." section above.

Then you upload both files into the main directory of your webspace via FTP if you want to restrict the whole webspace (this includes all sub directories too).

If you just want to restrict a particular folder. eg. secure you just FTP the file into that folder but make sure to also add this directory into the "htaccess" file.

Once they have been uploaded, use the FTP client to rename the files ".htaccess" and ".htpasswd" (prefix dot is required)

Please advise if you have any questions or need help.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Web Space Password Protection - Is It Possible?

Post by Dazzled » Wed Dec 02, 2009 1:51 pm

I have coded access restrictions for some other Exetel users, so a degree of privacy is possible with some ingenuity. You can't get tight security on this service though, as we customers can no more get access behind Exetel's server than online browsers can. You can however implement steps to hinder and discourage the curious, some requiring some coding.

Possibilities for discouragement--
1 You can choose to apply several restrictions with an .htaccess file, although the server only supports some options.
2 Use index.html with included Javascript to obtain a password which will gain entry to an oddly-named subdirectory. Since anyone can read your index file you mustn't include the subdirectory name or password in clear in the script.
3 You can place encrypted material openly in your space, and use a php server script to unwrap it. The curious can copy the script, so don't let a password be coded in clear there either.
4 You can upload to the site an encrypted download. Let your friends do the decryption on their own machines, using the correct key. You could even supply them a user javascript (Opera, Firefox) for their browser to do the job automatically whenever the site is visited.

Edit: Its <dot>htaccess - an illegal name in Windows, so rename a Windows file after it has been transferred.

Tim K

Re: Web Space Password Protection - Is It Possible?

Post by Tim K » Wed Dec 02, 2009 2:35 pm

Dazzled wrote:Edit: Its <dot>htaccess - an illegal name in Windows, so rename a Windows file after it has been transferred.
Actually, you can create a .htaccess file on a Windows machine :)

E:\Documents\temp>echo blah >.htaccess

E:\Documents\temp>dir
Volume in drive E is Data
Volume Serial Number is A8C8-8D8A

Directory of E:\Documents\temp

02/12/2009 02:34 PM <DIR> .
02/12/2009 02:34 PM <DIR> ..
02/12/2009 02:34 PM 7 .htaccess
1 File(s) 7 bytes
2 Dir(s) 344,325,191,680 bytes free

Incidentally, if you're only wanting 'rudimentary' security, this is probably the best way of doing it too. Although it is only fairly 'basic' - you wouldn't want to use it for stuff that needs very tight access control - is is suitable if you simply want a directory password protected for instance.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Web Space Password Protection - Is It Possible?

Post by Dazzled » Wed Dec 02, 2009 2:41 pm

Mea culpa - I should have said "some Windows". Notepad still doesn't like it though.

csouter
Posts: 156
Joined: Fri Apr 09, 2004 6:37 pm
Location: Homebush West, NSW, Australia

Re: Web Space Password Protection - Is It Possible?

Post by csouter » Fri Dec 04, 2009 5:05 pm

Hi, everyone!

Thank you all for the wealth of information!

I'm now in the process of trying it out.

I'll get back to you later with my results.

Thanks and regards to all,
Chris Souter
(Sydney, Australia)
Thanks and regards
Christopher Souter
(Sydney, NSW, Australia)

csouter
Posts: 156
Joined: Fri Apr 09, 2004 6:37 pm
Location: Homebush West, NSW, Australia

Re: Web Space Password Protection - Is It Possible?

Post by csouter » Tue Dec 08, 2009 4:33 pm

Hi, every ne!

Well, I went to htaccesstools, created the .htaccess and .htpasswd files, with two users, myself
and one other, FTPd them into the root directory of my space, and logged in as myself.
The login seemed to work OK, but, instead of being able to view my page, I was greeted with:

"500 Internal Server Error"

As soon as I removed the .htaccess and .htpasswd files, the 500 error disappeared.

Does anyone have any idea what I did wrong?

In the .htaccess file, the last two lines are
"Require User <Username 1>"
"Require User <Username 2>"

Is it OK to set it up like that?

In the .htpasswd file, the two lines for the username/encrypted password combinations
were copied and pasted straight from the field on the htaccesstools web page.

The only other thing that I can think of is that maybe I got the fully-qualified path name wrong
for the .htpasswd file when I put it into the .htaccess file.

Obviously, I don't want to publish the files here, but if someone wants to PM me, I could give the
fully-qualified path name as I have it in the .htaccess file.

Both files are in the same directory, so, would it work if I just put the file name? Does it really
need to be a full path name? And, if it does, what do I put for the root directory?

Thanks in advance for any advice you can give me.

Best regards to all
Chris Souter
Thanks and regards
Christopher Souter
(Sydney, NSW, Australia)

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Web Space Password Protection - Is It Possible?

Post by Dazzled » Tue Dec 08, 2009 6:03 pm

The server won't give a detailed error listing to a browser, as the logs go to a secure location outside your space.

With a list of permitted users, try: require valid-user instead

The root directory pathname is /home/freeweb/web as reported by phpinfo (), so add your own onto it, ie /home/freeweb/web/csouter/public_html/secretspot/.htpassword

You can learn quite a bit about the server setup if you put this in your space as file: phpinfo.php and call it up in the browser.

Code: Select all

<?php
  phpinfo();
?>
Details are at http://php.net/manual/en/function.phpinfo.php

csouter
Posts: 156
Joined: Fri Apr 09, 2004 6:37 pm
Location: Homebush West, NSW, Australia

Re: Web Space Password Protection - Is It Possible?

Post by csouter » Wed Dec 09, 2009 5:34 am

Hi there,

Thanks for the info.

I'll give it a try.

Best regards
Chris Souter
Thanks and regards
Christopher Souter
(Sydney, NSW, Australia)

nailgun
Posts: 4
Joined: Wed Dec 30, 2009 5:12 pm
Location: Carlton Vic

Re: Web Space Password Protection - Is It Possible?

Post by nailgun » Sun Jan 03, 2010 7:29 pm

Help appreciated. I'm new to webspace.

I have setup a plain webpage with links to two folders. One 'open', one password-protected 'secret'.

Very simple index.html in the root folder, with the 2 links, and they work.

In the 'open' folder there's a simple .htaccess file with only the text "Options Indexes" to reveal the directory in that folder. Works fine.

In the password protected folder an .htpasswd file with the correct password for name via http://www.htaccesstools.com/htpasswd-generator/

e.g., for Fred ... Fred :$apr1$uy7le/..$MJODex7zR37Fa309WeFdo0 in the file in a single line. Looks right.

The path to .htpasswd is /home/freeweb/web/mywebspacename/public_html/secret/.htpasswd. According to php.info that should be right.

The secret folder .htaccess text is:

Options Indexes
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/freeweb/web/mywebspacename/public_html/secret/.htpasswd
Require valid-user

and I think this must be wrong, because it doesn't work.

Browser linking to the secret folder is asked for password, but finds "Internal Server Error".

Disabling the .htaccess in the 'open' folder makes no difference to this error for the 'secret' folder.
Stripping out all text from the secret folder .htaccess except for "Options Indexes" gives me simple open access - no password protection.
Changing the last line to
Require Fred, Require "Fred", Require <Fred> or Require valid-user makes no difference.

What am I doing wrong? This is infuriating.

Nailgun

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Web Space Password Protection - Is It Possible?

Post by Dazzled » Sun Jan 03, 2010 7:50 pm

Nailgun, this might be useful - http://javascriptkit.com/howto/htaccess.shtml. One thing to watch is that .htaccess commands are inherited by subdirectories, so be careful of one in your root directory. Format is: Require User <yourname> - valid-user is for a list in the password file.

nailgun
Posts: 4
Joined: Wed Dec 30, 2009 5:12 pm
Location: Carlton Vic

Re: Web Space Password Protection - Is It Possible?

Post by nailgun » Sun Jan 03, 2010 8:08 pm

Dazzled, thank you.

I just fixed it and since I've seen others struggling with this I'll write it out. The mistake was in the .htaccess in secret folder, and the link to made it easy. My other ISP's setup for FTP is simple. Exetel don't tell you anything

1 Open FTP web space via Member's page (it was bust 3 days ago then came good)

2I have a plain web page with links to 2 folders on it via a very simple index.html. If you're interested:

<html>
<head>
<title>YourChoice of Name</title>
</head>
<body>
<a href="./open">open</a><br>
<br>
<br>
<a href="./secret">secret</a>
</body>
</html>

With FTP client (CuteFTP is slick) upload to

1

nailgun
Posts: 4
Joined: Wed Dec 30, 2009 5:12 pm
Location: Carlton Vic

Re: Web Space Password Protection - Is It Possible?

Post by nailgun » Sun Jan 03, 2010 8:34 pm

(sorry, finger slipped)

upload to webspace, and in it make a folder 'secret' and another 'open'

3 In the open folder insert .htaccess via notepad with the sole text

Options Indexes

4 In the secret folder you'll need a more complex .htaccess, again - a renamed notepad file

Options Indexes

AuthType Basic
AuthName "secret"
AuthUserFile /home/freeweb/web/yourwebspacename/public_html/private/.htpasswd
Require valid-user

("valid-user" works for one or many)

5 Also in that folder put in a .htpasswd file derived from the website http://www.htaccesstools.com/htpasswd-generator/
Pick the name(s) and password(s) and copy the strings it gives you. If several different, give each a new line (no wordwrap). oNe name ? .. only one line in that file.

And you're done.

Remember the server is unix and absolutely case-sensitive for filenames, extensions, etc.

This might save someone time. There'll be better ways but it works and most of us don't want to rediscover the wheel.

Exetel could do to lift their game with really good FAQ's rather than fragmentary bits of advice here and there.

Nailgun

nailgun
Posts: 4
Joined: Wed Dec 30, 2009 5:12 pm
Location: Carlton Vic

Re: Web Space Password Protection - Is It Possible?

Post by nailgun » Sun Jan 03, 2010 8:40 pm

(sorry again - 3rd and Final.)

Error in text above

the .htaccess in the 'secret' folder has the line

AuthUserFile /home/freeweb/web/yourwebspacename/public_html/secret/.htpasswd ( not ../../../private/.htpasswd)

Nailgun

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Web Space Password Protection - Is It Possible?

Post by Dazzled » Sun Jan 03, 2010 9:04 pm

Good to hear it's fixed.

The Exetel site is normal LAMP (Linux/Apache/MySQL/PHP), and all the usual references apply and are are useful. Your description will be useful to many in future. A couple of Windows users have documented their experience for more complicated tasks - one of the best is Lovs2look's 3 page illustrated account at: http://forum.exetel.com.au/download/file.php?id=456, http://forum.exetel.com.au/download/file.php?id=457, & http://forum.exetel.com.au/download/file.php?id=458 (it is a small business site at http://home.exetel.com.au/fixit/)

Actually, you still have an error (fortunately ignored by most browsers) in your html file - there is no DOCTYPE statement. See http://validator.w3.org/docs/help.html#faq-doctype.

Post Reply