Using the .htaccess to Restrict Access on an Apache Web Server
For an Apache web server, website access restriction is written into the .htaccess file, which is found in the root directory of the website. It can also be created individually for each directory.
The .htaccess file is a text file containing a set of directives for the Web server that apply to the directory and all of its subfolders. If any subfolder has its own .htaccess file, then that subfolder and all of its subdirectories are subject to the directives of the local file rather than that of the root directory.
The .htaccess file contains additional web server configurations. For example, access settings, redirects, special pages, etc. Access to website directories can be restricted in several ways:
Restricting by IP
Restricting by IP denies website directory access for the specified IP address. To do this, append the following directives in your .htaccess file.
order allow, deny
This directive determines the order of the blocking rules. In this case - the directive first allows, then denies access. This must be present at the beginning of the block of restrictions.
deny from 184.108.40.206
The directive denies access from the IP address 220.127.116.11. Use this format if you need to have all access requests from the indicated IP address denied. It will apply to all web pages in the current directory, as well as the subfolders (if they do not have customization).
deny from 3a04:250::6f0a:8f06:a4e1:7e10
This directive works similarly to the previous directive; here, the IP address is in the ipv6 format.
deny from 10.5
This directive denies access from all IP addresses beginning with 10.5, i.e. from an address subnet.
deny from 192.168.0.0/24
This performs a block of the IP address subnet within the specified range. The HostnameLookups option works in this format.
deny from mydomain.com
Blocks connections coming from mydomain.com.
allow from all
This directive allows access for all website requests.
You can combine the above directives into a single unit, depending on what you want to deny/allow.
For example, block
order allow, deny deny from 3a04:250::6f0a:8f06:a4e1:7e10 allow from all
means that all allow-lines will execute first, followed by the deny-lines. Access will be allowed for all requests, except for those coming from the IP address 3a04:250::6f0a:8f06:a4e1:7e10.
Restricting by Password
To use the directives described below, enable the Apache web server auth_basic, authn_file modules.
To do this, append the following directives in your .htaccess file.
AuthType Basic AuthName "Password required to access" AuthUserFile /path/to/.htpasswd
htpasswd is the utility for password generation found in the /bin directory of web server. Use this to create a file with a password by running the command
htpasswd -bcm /path/to/.htpasswd username userpassword
“b” indicates that the password is specified on the command line, “c” indicates the need to create a new file, and “m” indicates the type of encryption - MD5. “.htpasswd” is the name of the file created, “username” is the name of the user for whom the password is generated, with “userpassword” standing for the password of the user.
As a result, an .htpasswd file will be created with the content:
To add a user to the existing .htpasswd file, run the command
htpasswd -bm /path/to/.htpasswd username1 userpassword1
To remove a user from .htpasswd, run the command:
htpasswd -D /path/to/.htpasswd username1
For more information on all possible keys, please reference the following:
Use: htpasswd [-cmdpsD] passwordfile username htpasswd -b[cmdpsD] passwordfile username password htpasswd -n[mdps] username htpasswd -nb[mdps] usernaine password -с Create new file. -і Not update file, display the result on the screen. -m Encrypt password using [[MD5]]. -d Encrypt password using [[CRYPT]] (default). -р Do not encrypt password (plain text). -s Encrypt password using [[SHA]]. -b Specify the password in the command line parameter. -D Remove the specified user. On [[Windows]], [[NetWare]] and [[TPF]] systems ‘-m’ flag is used by default. On all other systems ‘-р’ flag can be non-operational.