Litespeed - .htpasswd protection
Password protecting a domain or a directory is an essential element in administering your domain.
As you would imagine, with Litespeed this is very simple and can be done without logging into your server and issuing commands via a terminal.
Firstly, log into your Litespeed administration area. For example:
http://123.45.67.890:31000Once logged in, navigate to the Virtual Host List and select the Virtual Host (domain) that you want password protect.
Once there, select the 'Security' Tab:
At the bottom you will see a 'Realms List'. Click on 'Add'. You have two choices here, a Password File which is the default selection or LDAP.
At the moment we want a simple password file, so click 'next'.
Only two fields need filling in. The first is the Realm Name, call it whatever you want as you can have more than one realm. As you can see I simply called it 'protected'.
The second field is the 'User DB Location'. In keeping with the Virtual Host layout, point it to the config directory and, in keeping with consistency, call it .htpasswd.
When you click on 'save' an Input Error will be produced as the .htpasswd file does not yet, exist. Click on 'CLICK TO CREATE':
Once successfully created, save the input. You will notice the new 'protected' realm has been added to the Realms List.
Now the realm and file have been created, you can add as many usernames, groups and passwords as you wish.
We'll add just one username and password. Click on the the 'protected' realm name and then on the green User DB Location link:
Once done, you will see the User DB Entries list is empty. Click 'Add' and enter the username and password you require. In this case, I have used 'demo' and 'demo' (original I know):
To password protect a domain or a directory, go to the 'context' tab and click 'add'.
We want a simple context so the default Static Type is fine. Click 'next'.
For simple password protection, only three fields need entering.
The first is the URI. To protect the whole domain enter '/'. In this case I want to protect the directory 'private' and leave everything else accessible so I entered '/private/'.
Secondly, select 'Yes' to Accessible as we want to be able to access the directory, just have it password protected.
The other field to set is the Realm. Select the appropriate realm from the dropdown list and, if you want to, enter a description on the Authentication Name field. I've called it 'PRIVATE DIRECTORY':
Click save, Apply the changes and restart the server.
Navigate to the domain or sub directory you protected (e.g. http://mydomain.com/private)and you'll be presented with the standard 'Authentication Required' box:
Once setup, adding more usernames or groups to the .htpasswd file or adding protection to a specific directory is very simple.
PickledOnion.
Digg it | 
del.icio.us | 
reddit | 
StumbleUpon
Subscribe to Feed
Article Comments:
Gleb Esman 10 Jul, 2007
Paul, Could you elaborate on how to setup LiteSpeed to prevent browsing by typing my IP address? (returning 404 or something like that to deter attempts would be nice).
PS: Great tutorial collection - better than anything I've seen on the web/or books!
Gleb
PickledOnion 10 Jul, 2007
Gleb,
One way of preventing, or controlling, what a user sees when they browse to your IP address is to treat it just like any other hosted domain.
Create a virtual host for your IP, e.g. 123.456.78.90 and have a directory layout exactly the same as any other Virtual Host.
This way, you can either serve a blank page, have some rewrite rules to redirect users and so on.
PickledOnion.
Gleb Esman 10 Jul, 2007
Thanks Paul. I actually found a simpler way to achieve it: 1. Configurations->Virtual Hosts->"Example"->"View/Edit"->"Security Tab"->"Access control, Edit". Allowed Lust - empty Denied List - ALL
There is also a way to change how each error page looks like, so I created a small PHP file that prints IP address of "intruder" with the message that "Your IP address has been logged"
I also renamed it from "Example" to my IP: "123.4.56.78"
Gleb
PickledOnion 10 Jul, 2007
Hi Gleb,
Indeed, I had assumed the example 'wildcard' domain had been deleted. It's a virtual host as I describe above.
You can enter any rewrite rules (custom error outputs, etc) in the rewrite tab of a virtual host so each virtual host has separate outputs or you can use a standard .htaccess file in the domain.
Glad it's going well for you.
PickledOnion.