From my www-auth paper (http://www.seifried.org/security/www-auth/):
Apache supports a wide variety of authentication methods, several of which
can be considered "standard" and are typically included in vendor packages
of Apache. You can assign security to files and directories with Apache, the
configuration for this is either done in the central httpd.conf file or in
the defined "AccessFileName". For example to make ".htaccess" files your
access file you would add the following to httpd.conf:
AccessFileName .htaccess
And in order to prevent people from downloading these files you would add
the following to your httpd.conf:
Order allow,deny
Deny from all
</Files>
This means that any file starting with ".ht" (i.e. .htaccess, .htpasswd,
.htgroup, .htfoobar) will not be sent if a client requests it.
You will then need to configure Apache to allow for specific features, using
the "AllowOverride" directive within a " configuration section.
Typically the safest thing to do is define a "<Directory />" that disables
everything and then enable features as needed on a per directory basis. For
example to allow .htaccess files in /var/www/secure-area:
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
If your .htaccess file does not work and "AccessFileName" is defined then
this is probably the problem.
Kurt Seifried, kurt@seifried.org
PGP Key ID: 0xAD56E574 Fingerprint:
A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/