Search code examples
.htaccessexpressionengine

How do I use htaccess to limit access to entries?


I need to password protect a couple of entries on a site. It is easy to do at the template level but this is at the entry level. I am running Expression Engine.

I tried setting up an htaccess file but it is not yet effective.

It is like this:

AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /home/server/.htpasswds/.htpasswd 
AuthGroupFile /dev/null 
<Files template_group/entry_name>
require valid-user
</Files>

Where template_group is the name of the actual template_group and entry_name is the actual name of the entry.

Any assistance will be appreciated.

Thanks.


Solution

  • While ExpressionEngine provides its own means for Template Access Restriction to password-protect pages and templates — including handling .htaccess Apache Basic HTTP Authentication — there are situations where you might not want to, or are unable, to use it:

    • For example, the Freelancer Version of ExpressionEngine doesn't include the Member Management Module, so the Template Preferences Manager doesn't offer Access Restrictions.

    • Also, if you elect to use ExpressionEngine's HTTP Authentication, only users with member accounts [in ExpressionEngine] will be able to login, since EE uses its local member database for authentication.

    If you're the DIY type, you can modify your httpd.conf to limit and password-protect access to ExpressionEngine pages, entries and templates.

    This technique works by:

    1. Editing Apache's httpd.conf
    2. Creating .htpasswd or .htgroup files
    3. Specifying the URL(s) to Protect

    Note: Since we are attempting to match objects at the URL level and not the physical filesystem, we must use a <Location> or <LocationMatch> directive1.

    Put the following in your server's httpd.conf or vhost.conf file:

    <LocationMatch "^/private">
        AuthName "Restricted Area"
        AuthType Basic
        AuthUserFile /path/to/website/.htpasswd
        AuthGroupFile /dev/null
        Require valid-user
    </LocationMatch>
    

    Be sure to change the values of the directive to your liking and your hosting environment.

    If you haven't already, create the .htpasswd password file to encrypt the desired passwords, either using the command line or an Online .htaccess Password Generator:

    htpasswd -c /path/to/website/.htpasswd username

    If the htpasswd command is not in your Unix path, you'll have to type the full path to the file to get it to run. On my server, it would be:

    /usr/sbin/htpasswd -c /path/to/website/.htpasswd username

    Then, htpasswd will ask you for the user's password, and ask you to type it again to confirm:

    # htpasswd -c /path/to/website/.htpasswd username
    New password: changeme
    Re-type new password: changeme
    Adding password for user username
    

    With everything in place and working, any request to /private* will be handled by Apache before it's routed to ExpressionEngine.


    Voilà — Apache password-protected directories working in harmony with ExpressionEngine (or any CMS really, such as WordPress, MovableType or TextPattern).

    1. The context of the <Location> directive specifies that it can only be used in server config and virtual host configuration files. This means we can't put the rules in a .htaccess file, otherwise Apache will throw a 500 Internal Server Error with the description "Location not allowed here".

      • If you are attempting to match objects at the URL level, you must use <Location>
      • If you are attempting to match objects at the filesystem level, you must use <Directory> and/or <Files>