This tutorial describes how to protect a directory in Apache with a password, and control access by client IP.
We assume that Apache is installed in /usr/local/apache
and that you have write access to /usr/local/apache/conf/httpd.conf.
We will not take use of .htaccess files.
The advantage of not using a .htaccess file is described here:
Apache 1.3: http://httpd.apache.org/docs/1.3/howto/htaccess.html#when
Apache 2.2: http://httpd.apache.org/docs/2.2/howto/htaccess.html#when
(It is also more tricky to manage file permissions on .htaccess files, especially if you run Apache with SuEXEC and use different system users for each Virtual Host.)
Create a password file
/usr/local/apache/bin/htpasswd -c /usr/local/apache/conf/htpasswd someuser
New password:
Re-type new password:
Edit httpd.conf
In this example we will protect /usr/local/apache/htdocs, but you can choose any directory, of course.
We will use Basic autentication, and password will be required from anywhere except from localhost (127.0.0.1).
<Directory "/usr/local/apache/htdocs">
AuthType Basic
AuthName "Your title for the popup window"
AuthUserFile /usr/local/apache/conf/htpasswd
Require valid-user
Order allow,deny
Allow from 127.0.0.1
Satisfy any
</Directory>
Test the configuration
Point your browser to the protected directory, both from the same server (should not ask for password) and from another box (should ask for password).