.htaccess help please



I’m a newbie… With DreamHost I’ve discovered I can go to the “goodies” area of the panel to generate passwd protection for directories. Anyone know how this DreamHost feature handles the htpasswd file? I unerstand it should go above your web site so that visitors can’t get to it. Does DreamHost place it there automatically.

Also if someone could give me an example or two on what needs to be entered in the first item… do you just put the name of the directory you want to protect there… or does it require the full path to the directory?



No, it doesn’t. When you use this feature from the control panel, it puts both the .htaccess file and the .htpasswd file in the directory you are protecting.

If you still want to have the control panel build the files for you, you can do so and then move the created .htpasswd file above the web directory and edit the resultant .htaccess file to change the path to that file.

Well, you never have to enter the “full” path, as the system prepends the domain name (which actually completes the path to that point), but you should put the directory name “beneath the domain name”.

For example, if you want ro protect http://yourdomain.tld/private, then “/private” is what should be in the box.

Of you want to protect http//yourdomain.tld/images/private, then “/images/private” is what you should put in the box.



okay… got it…many thanks


You are welcome, and good luck! :slight_smile:



I’d like to know more about where is best to actually place the htpasswd file. I’ve just let the panel create and place and had no idea that it could be viewed. I’ve just tried to pull mine up in the browser and it didn’t work, but I’d like to here about potential issues!

“Whenever you find yourself on the side of the majority, it’s time to pause and reflect.” - Mark Twain


Common security practice is to place the .htpasswd file in a “non-web accessible location”, such as in a directory “above” or “outside” of your web space. This is done to make it even more difficult for someone to obtain it via the web and apply a “cracking” exercise on it to reveal/obtain the enclosed passwords.

In reality, with proper permissions set, it is still pretty safe even if served from within your webspace (as you have just seen demonstrated by your attempts to “browse” to it). The potential problem is that a “borken” server, or other script that runs amok could create an error condition that might result in it being “exposed” (hence the advice to “just keep it off the web altogether)”.

You are probably asking, 'If this is the case, then why does DreamHost’s panel tool put it there in the first place?" While I can’t speak for DreamHost definitively, I suspect it is probably due to ease of operation and management of that function from the control panel. Keeping the .htpasswd file with the .htaccess file that refers to it “together” in a directory makes it easier to manage the beast when different .htaccess/.htpasswd files are used for different directories.

For example, if you set up http://yourdomain.tld/private to be protected this way, and the panel wrote the .htaccess file to /home/user/yourdomain.tld/private and the .htpasswd file to /home/user/ that would work fine until you tried to do the same thing to http://yourdomain.tld/private2 - the .htpasswd for that dir, if written in the same manner, would overwrite the .htpassed file that already exists in /home/user/ (for http://yourdomain.tld/private/).

Sure, there could be more programming implemented to collect a different filename for the .htpasswd file from the user, test for existence/conflicts, trap errors, etc., but the DreamHost panel tool does not do any of that - they just rely upon the *nix permission system to protect the .htpassed file, and put it in the directory it is related to, thereby avoiding the problem.

Of course, there is no rule that says the “.htpasswd” file has to be named “.htpasswd” (unlike the .htaccess file, which needs to stay named that way!). While you can’t see them in a browser, you can see them via the shell, or via SFTP/FTP, and can inspect and edit them. If you do so, you will see that the .htaccess file defines what file it is using to store the passwords as a text string in the file - and you can change both the path to the file,and the name with any text editor.

Traditionally, the .htaccess file is created with an editor, and the .htpasswd file is managed with a shell tool; the DreamHost panel functionality just makes this easier for non “shell/*nix” savvy users - and the trade off is, at present at least, the default placement of the .htpasswd file in the target directory, and the use of “.htpasswd” as the naming convention.

The advantage to the tool is that you can easily add/delete users and change password from with the panel via a form instead of having to use the “standard” tools - the disadvantage is that using that method, you have less flexibility (none, actually) as to what you name the .htpasswd file, and where it is stored.

As I pointed out, you can of course still use the panel to generate the files (and then edit the .htaccess file as desired and move/rename the .htpasswd file), but once you have gone that far you are well on your way to just doing it all by hand “old school style”.

Doing it by hand has a lot of advantages, particularly if you try to add password protection to a directory that already has an .htaccess file (the DreamHost panel tool rewrites that, which can break your application) because you can just add the appropriate password protection information to the existing .htaccess file.

There are many very good tutorials on the web that explain all this in full and glorious detail, if you are particularly interested - hopefully some of what I’ve written will either answer you question or pique you interest. :wink:



Hi again RL…

While I’ve always considered myself computer savvy… I must admit that being new to web design I’ve had a great deal of difficulty trying to wrap my brain around the htaccess and passwd code.

Prior to finding this form, I had read quite a few online articles about how to do all this… and most of them refer to making sure the “full path to the passwd file” is in the htaccess file.

When I look at my directory tree on the DreamHost Esprit FTP server the root directory is just a folder icon with a slash… no directory name or letter is there. Assuming that it’s best to put the htpasswd file immediately under the root directory… how then do I write the full path inside the htaccess files?

Thanks for your help


Part of that confusion is the result of what your FTP client reports as “root” vs what is really root. People use all kinds of terms here to refer to their machine user’s “home” directory - “user root”, “main user directory”, etc.

What your FTP client reports as “root” ("/") is actually not “root” at all. On DreamHost’s setup it is actually “/home/username”. What is often referred to as your “web root” (I hate that term, preferring to refer to it as your “top level web accessible directory” for a given domain or your “web base directory”) on DreamHost is actually "home/username/domain.tld (or whatever you named the base directory for the domain when you added the domain to the system in the web panel).

By default, DreamHost uses “domain.tld” for this dir name unless you change it.

All that said, the only really useful places “outside” the web accessible part of your user space to put the .htpasswd file(s) is in the /home/username directory (which is above the “web base” dir (“domain.tld”), or in a directory that is a “sibling” to your domain.tld dir(s). If you do this , you can see how you might need to rename the .htpasswd file(s) if you use more than one, or develop some other system for storing them so they don’t conflict.

If you don’t want a bunch of .“htpasswd” files cluttering up you “user” dir, you can make “sibling” directories under your “user” dir (at the same dir tree level of your domain.tld dirs) and use them, either one for each domain’s .htpasswd file(s) or in the way I describe further below. :wink:

Finally then, you define the “full path inside the .htaccess files” as whatever path description accurately locates the file.

For instance, if the .htaccess file is is in “domain.come/private” (which is really “/home/user/domain.tld/private”) and you want to put the .htpasswd file in the directory that your FTP client just shows as “/” (which is really “/home/username”) you would enter:

/home/username/.htpasswd (or whatever you named the file)

The system I use is to put all the .htpasswd files for the various directories I may have protected across my various websites, domains, and subdomains on DreamHost in a special directory (folder) below my username, and then reference them directly with the appropriate path and filename, as in:

/home/username/htpasswords is the dir that holds -

and then I reference them in whatever .htaccess file they are called from as:


This give me a lot of flexibility, keeps the “.htpasswd” file inaccessible from the web, and allows me to use descriptive names for the “.htpasswd” files so I don’t get them confused.

It’s easy enough to get the wrong .htaccess file in the wrong directory if you are managing a bunch of sites, and it’s just as easy to confuse a series of identically names .htpasswd files - this system makes it easy for me to tell exactly what .htpasswd file goes with which protected directory.

I don’t know if any of that is helpful, or if I only added to the confusion, so please let me know if I’ve answered your question or only made it worse. :wink:



Thanks again RL…

.htaccess is much clearer now… especially the “path” part. I will likely use various parts of the suggestions you’ve given me. Much appreciated!


You are welcome, and I’m glad you found at least some of that to be useful. :slight_smile:



That was one NICELY explained essay there… you should no doubt put that into the wiki!

MUCH appreciated, RL… I definitely have a much better understanding of this and it triggered some understandings in related areas.

I think judging from that I’ll just let the panel do em as it wishes with what I am protecting now, as it is not truly sensitive material (just stuff I don’t want my wedding video clients to run up on!), but that information should come in very handy in the future.

Again, thanks a TON for the essay!!!

“Whenever you find yourself on the side of the majority, it’s time to pause and reflect.” - Mark Twain


Thank you for your kind and gracious comments, dwr! :slight_smile: I realize that I get a bit verbose at times; it is nice to know that occasionally someone benefits from such excesses of verbiage.

I think you’ll likely be fine just leaving those files where the Control Panel tool puts them, and if you should decide to change them later, hopefully some of the info in that tome will be helpful. :wink:



Hi to all… RL some great insights into the world of .htaccess…

I’m fairly new to web building, lived off the basics and now moving forward… I’ve been trying to understand .htaccess & .htpasswd and why it’s necessary…

Currently, for the sites I work on I would have 2 users max on the system and in that case is the .htpasswd file really necessary in my case? I have no problem logging into Dreamhost to make changes.

I’m really looking for a way to prevent my folders being seen - for example, if i were to type… http://www.mysite.com/img the entire list of images would show up.

Also I’m on mac, so terminal is optional to write the .htaccess file but I’m finding it hard to find out how to do so online…

Thanks for your help!


Probably not. Apache authentication using .htaccess and .htpasswd is generally used to keep visitors from seeing a dir, page, etc. without completing a user/pass dialog - and really doesn’t have any effect of “making changes” unless it is protecting a web script that could be used via a browser for such a purpose.

That is easily done a couple of different ways. You can do it with a line added to an .htaccess file that impacts the directory in question. In your case it could be " /home/username/mysite.com/img", or any “uptree” directory, as .htaccess files affect the directory they are in and any directory below that directory. To supress the display of the “index” of files in a directory, the line to enter in the .htaccess file is:

Options -Indexes

This information, and a lot of additional useful material about .htaccess files is available on the DreamHost Wiki:


This page also has a section on how to create .htaccess files. Why don’t you take a look at that page, and if you still need help creating an .htaccess file after reading through that, post back with a more specific question and I’m sure we can get you sorted. :wink:



Thanks a lot it worked. I did go to that page before but it somehow did not make as much sense…

Silly question, Should I put this file in each of the subfolders? I get that everything in the folder images and inside of that will be protected - but the folders ‘alongside’ images.


You’re welcome, and I’m glad you have it working. :slight_smile:

It’s not really a silly question. An .htaccess file affects the directory it it is any any directory beneath it (unless overridden by a subsequent .htaccess file in a sub-folder). So, you could either put that same .htaccess file in each “sibling” (“alongside”) directory, or put it above that level of subdirs.

If the “parent” directory of those “sibling” directories already has an .htaccess file (and many sites do!), then just adding that line to the existing .htaccess file will do the trick.

An easy way to make sure that directory are suppressed for your entire site is to just put that line in an .htaccess file at the “base” directory of your site. :wink:



Hello R.L…

A little more advice please on .htaccess… and sorry this is long.

I thought I had it down based on your previous advice but alas I don’t have it working as it should. So with your patience, I will give an example here of what I’m trying to do and hopefully you can straighten me out.

I have created a site using wysiwyg web design software. I’ve published the site and it is on the esprit server and working fine. So now comes the .htaccess part.

In my site I have a members page. I am setting up links for individual clients… and for example I want the owner of Widgits Inc to link to a directory that will allow him to download the audio files in “his” directory from esprit to his local machine. I don’t want him to see anyone else’s directory and I don’t want anyone else to be able to see his.

The protected directories have to be under the “your domain.tld” directory… right?

Also, when creating the links in the wysiwig… the only appropriate options for links seem to be “file” or "audio file."
If I understand correctly, when the Widgits guy clicks on his member link, .htaccess is supposed to make a password dialog box pop-up right? I though I had it set-up correctly but when I tested the link, it went straight to playing the audio file without asking for a password.

In trying to set all this up… I’ve apparently either not set up the directory tree correctly… left something out of the .htaccess file (by the way I used one of those automatic generator utilities to create the code)… or didn’t do the link properly… or maybe all of the above. Should I as you suggested earlier, use DreamHost panel to generate .htaccess and then move things around?

In creating the directory where the Widgit Inc. audio files will be located… do I create that directory on the FTP server… or create it on my local machine and then upload it?

Or do I have to create an additional web site page to link to? I doesn’t seem that would be the way to go because the audio files would not all end up in the one directory… they would just be separate files under the main web site directory.

I had better stop now before you run out of patience!!

Many thanks


Let’s see if I can help get this sorted out. Having carefully read your post, one thing that comes to mind is that thing might actually be working for you as expected, but you are not able to see it because of the way Apache basic authentication works with your browser.

Once a user has successfully passed an authentication dialog, apache will not ask again while that browser is open unless/until the .htaccess file is changed. This can easily lead you to believe, when you are setting things up, that the authentication routine is not working when it actually is; only by closing your browser and trying again to connect to a protected area can you be sure that it is, or is not working.

The use of wysiwyg software might be complicating your issue slightly in some subtle way, though it really should not have anything to do with the authentication stuff. I am, however, confused as to what you mean by "the only appropriate options for links seem to be “file” or “audio file” - a link is just a link, adn I’m not sure how/what/why the software makes any distinction as to what the link is to.

If I understand this correctly, that “members’ page” is not protected, but only lists links to each member’s “private directory”, and those directories are what are to be protected via .htaccess. Is that correct?

Yes, they must be “somehwere” beneath your “web base directory” to be accessible from the web, but they do not have to be immediately beneath your “top” directory.

This is a bit confusing to me, as I initially had though you were just providing links to the members directory as opposed to an individual file, but either way, if the file is placed in a directory that is protected by .htaccess, then the authentication dialog should be presented the first time a user click a link the links to the file.

It could be any, or a combination of, those things that are causing your unexpected behavior - it’s really hard for me to guess from your description what may be happening. Also, what “automatic generator utility” are you using to “create the code”?

You could certainly consider just using the DreamHost provided Control Panel tool fro password protecting directories to get you started easily (that what it is for) and then move thing around if you desire, or leave them as DH sets them up.

It should make absolutely no difference at all - as long as the directory ends up on your server the end result should be the same.

I’m confused by this question; whether or not you create a separate page or not is not relevant, only the location of the page/file/etc. to be protected - they must be in a protected directory for the authentication to take place, whether a file, or a page, it matters not.

Ha ha , well, I still have some patience left, and I’d like to help you, but I admit I’m confused about the details of what you are describing in a few places, and “the devil is in the details.” You might consider posting a url to your site (using dummy data files) so we can see what you have structured rather than just relying upon your descriptions - sometime stuff is lost in the translation. Alternately, you are welome to PM me with a url if you would like for me to look at it but do not wish to publish your url in public.

What “wysiwyg” software are you using? Some such software (most notably iWeb) tends to “mess with” a sites directory structure as it “builds a web”, and this could be having an impact on your efforts.

In a nutshell, what it seems you are trying to do is to have a structure that looks something like this: http://yourdomain.tld ___________________________|__________________ | | http://yourdomain.tld/member1 http://yourdomain.tld/member2 | | http://yourdomain.tld/member1/file1 http://yourdomain.tld/member1/file2 and you want the member1 and member 2 directories to be password protected.

To do this, you put the .htaccess file with the authentication directives in those directories. Then, if you wish, you can either put a page in each of them (index,.html) to link to each of the files, or just let the files display in a directory listing for the user to “click” - either way, those files will not be visible to anyone who does not pass the password dialog.

Does any of this help at all?




Thanks for dissecting my rambling questions. Since posting them I’ve have some success. I actually got one of the directories protected and I successfully logged in… but just as you said, when it didn’t work the next time I assumed that it was not working. After much frustration, I closed the browser and next time, it worked correctly again.

Then possibly getting too big for my britches, I tried setting up another protected directory. I tried to make it a carbon copy, with a different directory name of course, but the second one bypassed htaccess and went straght to the files I was trying to protect. There must be quite a few bald newbies out there who have pulled out all of their hair in furstration.

Another strange thing, my web host is DreamHost… and I used their htaccess utility to generate the access code and encrypted passwords. In the process I moved the password file above the web site directory and changed the path to it in the access code… and when I was creating the second one… it seemed that the utility “re-encrypted” the password for the first directory I created and now it won’t take the password. sheeesh this is maddening. Ever run across something like that before. I think I need to go lay down. aaarrrggghhh!!!

And yes, my site has a members page with multiple link buttons… they link to directories on my local machine which contain the files I am trying to protect. I created identical directories on the server and upload to them. Could that be part of the problem… I wouldn’t think it would matter but should the directories I’m trying to protect on the server have a different name?

Thanks again.


Okay, so that is the model for what you want to do for each directory. Duplicate what/how you did things for this directory for the other directories, and you should be golden.

While I can’t be certain without seeing it, I suspect that this might be the result of a misplaced directory; if that directory was beneath the prior, then the behavior you experienced is to be expected. :wink:

Well, once you start moving around the output of the utility, you risk “confuzzling” the panel utility. Per the philosophy of “learning to walk before trying to run”, I suggest sticking with the DH COntrol Panel .htaccess utililty output as is (even if it stores the .htpasswd file in the target directory) and getting that to work for each involved directory before mucking about with changing the locations/names of the .htpasswd files. I talked about this at length in a prior post in this thread.

As long as those “links” are “relative” instead of “absolute” (so they are properly translated to their correct location of the server, it shouldn’t make any difference. In fact, doing it that way you would need to make certain that the directory names were the same (or change the links for the “buttons”) for it to work.