HTTP auth with .htaccess
Reviewedbyfl
Markdown ↓Secure areas with authentication.
To limit access to your cloud development environment, you can use HTTP (basic) authentication with .htaccess to prompt a username and password for a selected few.
The fortrabbit dashboard also provides a setting for this.
Set a root path below htdocs
To protect the .htpasswd file from public access, you must store it outside the web-accessible root directory. When no framework or CMS was chosen during environment creation, htdocs is the default root folder. Create a new folder, called something like web or root, move all your web contents into it, and set this new folder as the root path in the dashboard.
Create the .htaccess file
Create a .htaccess file in the directory you want to secure, also see our .htaccess articles. Likely that this is your new root directory, can also be below that. Be careful, the dot at the beginning of the file names indicates that it is a hidden file. You can upload the file by any deployment method: with Git, by SFTP or create it on remote via SSH. Please note, that all frameworks and CMS systems will already have an .htaccess file in their own root path. You can modify that as well. This is, what your .htaccess should contain for HTTP auth:
Authtype Basic
AuthName "Welcome to my project. Please Login."
AuthUserFile /srv/app/{{app-env-id}}/htdocs/.htpasswd
Require valid-user
The first line starts the directive. The second line set a hello message which is printed to greet the user. The third line points the server to the file that stores the username and password to login, this is an absolute path. This .htpasswd file should NOT be reachable from the outside, via http. That's why you have moved all the files one level deeper. The last line finally sets the rule, that only valid users are allowed to browse.
Create the .htpasswd file
As you can already guess by now, the .htpasswd file hosts the required username and password to enter your project. And this is how that file can look like:
john:$aSr1$jw6nGOHx$f/HpoNv9thNMd6w35Ttl80
The username is before the colon. The long string after the colon is the hashed password. It needs to be encrypted using the htpasswd tool. "htpasswd" is a command line tool likely installed on your local machine (not available on fortrabbit, so you have to run that locally):
htpasswd -c ~/directory/.htpasswd john
The -c flag creates a new file. The first param defines the file name and absolute path to store it. The second param is the username. The tool will prompt for the password.
Deploy HTTP Auth
You can deploy HTTP authentication to fortrabbit in two main ways: by uploading files directly via SSH or SFTP, or by using a post-deploy hook with Git to automate file generation. Most commonly, you'll want this for a "staging" area — a publicly served version of your website intended only for authorized users, whether before going live or as a permanent test environment. See our staging environments article for more on this.
Likely, your goal is, to ask users for a password only on the staging area, but not on your local environment or even a live version. Unfortunately HTTP Auth does not play very well with standard practices of environment detection, as this is happening on a different layer. Here is what you can do:
Upload via SSH / SFTP
You can upload the two files .htaccess and .htpasswd directly via SSH or SFTP into your App on fortrabbit. This is not very programmatic, but pragmatic. And it works.
Create while deploying
When deploying with Git, you can use a post-deploy hook to trigger automatic generation (or placement) of the required files.
Alternative solutions
HTTP Auth is a basic, standard, minimally invasive solution. There is no UI and no dependency you need to take care of. Even database access is not required. That's the beauty of it. So it's most likely compatible with the rest of your application. But HTTP Auth is not the only way to protect your website with username and password. Your CMS or framework might bring their own solutions for this. There are plenty of plugins for Craft CMS and WordPress.