+------------------------------------------------------------------------------+
| EnGarde Apache 'htaccess' HowTo                             January 7, 2002  |
| Jeff Baldwin <jeff@guardiandigital.com>                        Version 1.00  |
+------------------------------------------------------------------------------+

 Are their sections of your site that you prefer not just everyone have access to?
Maybe you have a set of photos that you only want to share with a given set of family
or friends?  The Apache web server has a built in function named 'htaccess' that will
give you the ability to require user authentication to access specified directories
on your site.  The following will you give you a quick intro on implementing 'htaccess',
just a little something to get your feet wet :).

(Note: I need to put an authentication screen shot here)
[IMAGE] USER AUTHENTICATION SCREEN SHOT [/IMAGE]

 At some point in your 'net' adventures I'm sure you've ran into the screen above, a small
window prompting you for a username/password to access a page.  This is not 
accomplished with some fancy Jave, Perl or PHP code (though I'm sure it could be done
with these languages).  You can implement this 'user authentication' with a simple 
(even to the newest of newbies) '.htaccess' file. The following instructions should get you 
'up and running' with 'htaccess'.

 Considering the fact that I am writing this article for the EnGarde SECURE Linux site, 
I guess I should put security first and start off by mentioning some potential problems 
that you may want to consider before protecting all of your companies most important 
financial data with 'htaccess'.

    * No computer system is completely secure.  As with anything else there may be holes in 
      'htaccess' system.  

    * The user name and password are transmitted as plain, readable text, 
      they are NOT encrypted.
      (Note:  I have yet to research whether an SSL enabled site would pass 
       htaccess info in plane text, I hope not)

    * If a user knows about subdirectories under the protected directory- 
      security can be breached if the subdirectories are not also protected.

 To setup 'htaccess' it is required that you have shell access to your EnGarde system. If 
you do not have shell access to your EnGarde system you are probably not the systems admin and
this doc is probably of little use to you :).

Setting up an .htaccess Protected Directory

Installing 'htaccess' involves few steps. The most important thing is to be sure you NEVER, EVER
install the .htaccess file into your root web directory. Doing this will lock everyone (without a username/password)
out of your website. Make sure you create the directory and/or are located in the correct 
directory before creating the file.

    * Step 1: Where are you? At your prompt enter the command 'pwd' to see what directory you are
      in. If you already have made your new directory and are in it --> Go to Step 3.

    * Step 2: Issue the command 'mkdir <dirname>' where dirname is what you want to call the directory 
      you will be protecting. Then enter the command 'cd dirname'

    * Step 3: Using an editor such as vi or pico, create a file called '.htaccess' (be sure to use 
      lower case letters, with the leading period) in the directory that you wish to protect.  The 
      file should look like this:

               AuthUserFile /home/httpd/html/test/.htpasswd
               AuthGroupFile /dev/null
               AuthName "The Secret Page"
               AuthType Basic

               <Limit GET POST>
               require valid-user
               </Limit>

    *  Step 4: Change 'AuthUserFile' so that it points to the directory you wish to store your 
       '.htpasswd' file.  (I always store my '.htpasswd' file in the directory that I wish to protect)
       (Note:  Ask someone who knows.. "is this dumb".. I think it should be ok :) )

    * Step 5: Change The Secret Page to be whatever title you want to have appear on the password box. Notice 
      "The Secret Page" in the image I have provide above.
      (Note: Till I put this in HTML format, you will obviously not see the image)

    * Step 6: To create the password file, issue the following command: 

      htpasswd -c .htpasswd <user_name> (where user_name is the new user you wish to provide access)
      
      If you wish to store your '.htpasswd' file in a directory other than the one you are protecting you will
      need to specify that when creating the file.   My example below will create '.htpassd' in the
      '/home/httpd/html/test' directory that I have specified in the '.htaccess' example file above

      htpasswd -c /home/httpd/html/test/.htpasswd <user_name>

    * Step 7: The system will ask you to enter the password for this user. It will then ask you a 
      second time to confirm your typing.

    * Step 8: Continue to add new users.  However when adding additional users there is no need for
      the '-c' option as that only specifies the dir to create the '.htpasswd' file.

      htpasswd .htpasswd <new_name> (where new_name is the additional users you wish to add)

That is all there is to it! If you have any issues with your installation or just change your mind about
using 'htaccess' simply issue the command below.

     rm .htaccess

As I mentioned above, this is not the MOST secure way to protect your data.  However... "something is
better than nothing".  Hope you enjoy!