Creating a Password Protected Directory

EPA builds all web content in the Drupal WebCMS as of January 2013. All new microsites and resource directories will be created using Drupal.  There is still content on EPA's legacy servers and this content will be maintained there until it is transformed and moved into the Drupal WebCMS.  The following information should be used only for minor updates/maintenance of existing pages; any significant updates or revisions to existing pages should be done in the context of One EPA Web content transformation into the Drupal WebCMS

Note:  These instructions are for Apache webservers in the shared environment.

If you would like to protect a directory and its contents from the casual browser, you can utilize Apache's .htaccess file to set up password protection. Note: this technique is not recommended to secure sensitive data. This is simply a tool to protect code-release documents or items of similar security value.

Users of this technique should adhere to Agency standards in regard to user login IDs and password use, i.e.,

  • Passwords and user login IDs must be unique to each authorized user and will be kept private.
  • Passwords should be a mix of alpha, numeric and special characters. Names, readable words, social security numbers, etc. should not be utilized as passwords.
  • Passwords should be updated every 60 days.

Detailed Instructions

The following instructions require the use of a Telnet or SSH application in order to post commands on the Public Access or Intranet Unix upload server (epapub or epaintra). To use Telnet, go to the "Start" menu in Windows, select "Run" in the menu, and type "telnet" in the dialog window. This will launch Telnet. To connect to the appropriate server, select "Connect" from the menu and choose "Remote System". Here, you will need to type in the address of the host server to connect.

Once you have connected to the server, follow the instructions below to create a password protected directory using Unix commands.

  1. Use mkdir /public/data/TSSMS/protect to create the new password protected directory to hold your password file. In this example, we will create one called "protect", however you can name it whatever you want.

    For example: mkdir /public/data/webmast1/protect

    Note: Do NOT create this directory under your web subdirectory. That would make this directory and, therefore, your User ID and password files visible to the public!
  2. Change to the directory created in step 1. For example:
    cd /public/data/webmast1/protect
  3. You can now create User ID's and passwords. For security reasons, it is best to utilize unique User ID's and passwords. Do notutilize the same ID's and passwords that you use on other EPA systems. If you need to password protect more than one directory on your site, you will need to create different password files for each directory.

    For example, to create the password file "web_passwords" with an initial user on the Public Access server (epapub), type:
    /public/server/apps/ap-home/bin/htpasswd -c web_passwords InitialUser
    To create the file and add the user George, type:
    /public/server/apps/ap-home/bin/htpasswd -c web_passwords George
  4. The computer prompts for a password. Follow the screen instructions.

    Using the example above, you would now have a file in your "protect" directory called "web_passwords" with an encrypted password for a user named "George." 
  5. If necessary, you can add more users. For each additional user type: 
    /public/server/apps/ap-home/bin/htpasswd web_passwords NextUser
    and follow the password prompts. For example to add Jacob as a second user, type:
    /public/server/apps/ap-home/bin/htpasswd web_passwords Jacob
    Again, follow the screen prompts for a password.

    Note: If you wish to update a User's ID or password, use the editor of your choice to remove their entry in the web_passwords file. Then create an updated entry for them using this step.
  6. Set the permissions on the directory which you wish to password protect.

    Note: the commands below use the numeric recodesentation user permissions. 

    If you want others in your group to be able to write to the directory type:
    chmod 775 /public/data/TSSMS/web/YourProtectedDirectory
    If you do NOT want others from your group to be able to write to the directory type:
    chmod 755 /public/data/TSSMS/web/YourProtectedDirectory
    For example to make the subdirectory NewProject writeable by its group type:
    chmod 775 /public/data/webmast1/web/NewProject
  7. Change directories to the directory which you wish to password protect:
    cd /public/data/TSSMS/web/YourProtectedDirectory
    To follow our NewProject example, type:
    cd /public/data/webmast1/web/NewProject
  8. Create the Apache web server configuration file (.htaccess) in YourProtectedDirectory. This file tells the Apache web server to prompt for a User ID and password and where to look to confirm that information. Using the editor of your choice, open a .htaccess file. 

    Please note that other features such as a 404 Error Page also require a .htaccess file. A .htaccess file will affect all the files and directories contained within it, unless a child directory contains its own .htaccess file. If a .htaccess file is being used to direct a 404 Error page in the parent directory, then you can create a new .htaccess file for the child password protected directory. If your password protected directory already contains a .htpasswd file, then you will need to append the following code to the exisiting .htaccess file.

    Insert the following code into the .htaccess file:
    AuthType Basic
    AuthName "Secure"
    AuthUserFile /public/data/<TSSMS>/protect/web_passwords
    Require valid-user
    Order deny,allow
    Deny from all
    <Limit GET HEAD POST>
    Allow from all

    Simply replace the <TSSMS> with your TSSMS account. In our example, the lines would read:
    AuthType Basic
    AuthName "Secure"
    AuthUserFile /public/data/webmast1/protect/web_passwords
    Require valid-user
    Order deny,allow
    Deny from all
    <Limit GET HEAD POST>
    Allow from all
  9. Once your .htaccess file is saved, your directory should be protected. Open the protected directory on your browser. In this example: It will prompt for User ID and password.

    Note: Once you have successfully logged into a protected directory, your browser will not prompt again for user ID and password while that browser session remains open. If you close the session and reenter, however, it will provide prompts.

    To further protect your directory from the casual user, you can add IP-based Protection and prohibit the Search Engine from indexing and displaying its files. For more information on this, refer to Creating an IP Protected Directory and Hiding Web Pages from Search Engines.

Top of Page