How do I restrict access to my website with usernames and passwords that I manage?

Note: If all of your users have PennKeys, please consider the more secure and much simpler approach using Penn Weblogin.

The HTTP Basic Authentication method allows you to restrict access to areas of your website by managing your own usernames and passwords. Use this approach if you need to restrict access to users who do not have PennKeys and/or want the convenience of sharing a single username and password among users. It is available on all domains via HTTPS (such as https://www.seas.upenn.edu/~username/protected/).

To use HTTP Basic Authentication on SEAS servers, you'll need to create two files, .htaccess and .htpasswd, in the folder you want to protect.

Using your favorite text editor, create a .htaccess file in the directory you want to secure with contents similar to this:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home1/c/clifford/public_html/protected/.htpasswd
Require valid-user

The path to the password file after AuthUserFile follows this format:

/home1/<first inital>/<username>/public_html/protected/.htpassword

If you've created the file on your local machine, transfer it to the directory you want to protect. See How do I transfer files to a SEAS account? for more information.

Now log into the command line on eniac.seas.upenn.edu. Navigate to the directory you want to protect that contains your .htaccess file. Run the htpasswd command with the -c option to initialize your .htpasswd file. It will create the file if it doesn't exist or replace all of the contents in an existing file with the specified user. In this example, the file is initialized with the user "cliff" (use whatever username you want):

htpasswd -c .htpasswd cliff

Enter a password for the user at the prompt.

Make sure both your .htaccess and .htpasswd files are readable by the web server. SEAS has provided the chgrp-httpd command to give the web server read access to files or directories while preventing other accounts from seeing them.

Warning: Do not use the chgrp-httpd command if you are protecting files in your webdav directory. A scheduled task periodically sets these permissions correctly.

Log into eniac.seas.upenn.edu and run these commands (using the protected directory as an example):

chgrp-httpd ~/html/protected
chgrp-httpd ~/html/protected/.htaccess
chgrp-httpd ~/html/protected/.htpasswd

Note: it is not advisable to use the chgrp-httpd script if you are protecting files in your CGI directory. Instead, chmod the protected directory to 711.

Your password protected site should now be available:

https://www.seas.upenn.edu/~username/protected/

Replace username with your SEAS account name and protected with the directory you created.

Important: An encrypted connection is mandatory. Protected directories must be accessed via HTTPS or an error will be returned.

How do I change passwords or add new users?

To add more users or change the password for an existing user, simply run htpasswd without the -c option. In this example, a new user, "eric", is added:

htpasswd .htpasswd eric