For an Apache web server, website access restriction is written into the .htaccess file, which is found in the root directory of the website. It can also be created individually for each directory.
The .htaccess file is a text file containing a set of directives for the Web server that apply to the directory and all of its subfolders. If any subfolder has its own .htaccess file, then that subfolder and all of its subdirectories are subject to the directives of the local file rather than that of the root directory.
Important: for .htaccess directives to be applied correctly, their processing must be enabled on the server. This is controlled by the AllowOverride directive in the Apache configuration. For security reasons, many servers have AllowOverride None set by default, which completely disables reading of .htaccess files. For proper operation, add the following block to your virtual host configuration:
text
<Directory /var/www/your_site/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>After making the changes, reload Apache. For Ubuntu/Debian:
sudo systemctl reload apache2For CentOS/RHEL:
sudo systemctl reload httpdThe .htaccess file contains additional web server configurations. For example, access settings, redirects, special pages, etc. Access to website directories can be restricted in several ways:
Restricting by IP
Restricting by IP denies website directory access for the specified IP address. To do this, append the following directives in your .htaccess file.
order allow, denyThis directive determines the order of the blocking rules. In this case - the directive first allows, then denies access. This must be present at the beginning of the block of restrictions.
deny from 155.144.122.1The directive denies access from the IP address 155.144.122.1. Use this format if you need to have all access requests from the indicated IP address denied. It will apply to all web pages in the current directory, as well as the subfolders (if they do not have customization).
deny from 3a04:250::6f0a:8f06:a4e1:7e10This directive works similarly to the previous directive; here, the IP address is in the ipv6 format.
deny from 10.5This directive denies access from all IP addresses beginning with 10.5, i.e. from an address subnet.
deny from 192.168.0.0/24This performs a block of the IP address subnet within the specified range. The HostnameLookups option works in this format.
deny from mydomain.comBlocks connections coming from mydomain.com.
allow from allThis directive allows access for all website requests.
You can combine the above directives into a single unit, depending on what you want to deny/allow.
For example, block
order allow, deny
deny from 3a04:250::6f0a:8f06:a4e1:7e10
allow from allmeans that all allow-lines will execute first, followed by the deny-lines. Access will be allowed for all requests, except for those coming from the IP address 3a04:250::6f0a:8f06:a4e1:7e10.
Restricting by Password
To use the directives described below, enable the Apache web server auth_basic, authn_file modules.
To do this, append the following directives in your .htaccess file.
AuthType Basic
AuthName "Password required to access"
AuthUserFile /path/to/.htpasswdhtpasswd is the utility for password generation found in the /bin directory of web server. Use this to create a file with a password by running the command
htpasswd -bcm /path/to/.htpasswd username userpassword“b” indicates that the password is specified on the command line, “c” indicates the need to create a new file, and “m” indicates the type of encryption - MD5. “.htpasswd” is the name of the file created, “username” is the name of the user for whom the password is generated, with “userpassword” standing for the password of the user.
As a result, an .htpasswd file will be created with the content:
username:$yqb7$i7Kj719G&erXgfPKfgYewAQNjkEIo8/To add a user to the existing .htpasswd file, run the command
htpasswd -bm /path/to/.htpasswd username1 userpassword1To remove a user from .htpasswd, run the command:
htpasswd -D /path/to/.htpasswd username1For more information on all possible keys, please reference the following:
Use:
htpasswd [-cmdpsD] passwordfile username
htpasswd -b[cmdpsD] passwordfile username password
htpasswd -n[mdps] username
htpasswd -nb[mdps] usernaine password
-с Create new file.
-і Not update file, display the result on the screen.
-m Encrypt password using [[MD5]].
-d Encrypt password using [[CRYPT]] (default).
-р Do not encrypt password (plain text).
-s Encrypt password using [[SHA]].
-b Specify the password in the command line parameter.
-D Remove the specified user.
On [[Windows]], [[NetWare]] and [[TPF]] systems ‘-m’ flag is used by default.
On all other systems ‘-р’ flag can be non-operational.