Setting up basic HTTP Authentication

You can use Basic HTTP authentication to restrict Google's crawlers from indexing our staging site, add an extra layer of protection to your login page or just keep it away from prying eyes. Drupal 8 comes with a core module and there are is this contributed module that provides this feature. But, if you don't want to have extra modules or just need a simple solution, you can use Deployer to pull this through.

Start by creating a .htpasswd that will store the access credentials. To create a new .htpasswd file, you can simply use an encrypted password generator or use the following command:

htpasswd -c .htpasswd username

In the end, your .htpasswd file will be something like this:


Next, we'll create a .htaccess.template file by copying Drupal's .htaccess file and adding the following code at the top:

AuthUserFile {{ path }}/.htpasswd
AuthType Basic
AuthName "Staging Website"
Require valid-user

Nothing too fancy here, we're just letting the server know about the location of the .htpasswd file, it has to be the absolute path in your server or will throw an error. We already have this information on the hosts.yml file that we created previously, so we'll just leave the placeholder for the path variable. This is useful for setting up different environments with minimal effort. If you are dealing with servers with different .htaccess, you can create specific .htaccess.template that you can refer per host in the hosts.yml, as we did for .env files.

Regarding the rest of the code, the term valid-user is telling the system that any user with a valid password can access the page. But if you want to be selective about who you grant access to, you can mention the usernames instead of using valid-user.

Finally, we'll create a new task on deploy.php to create .htaccess file and transfer it together with the .htpasswd file to the server:

task('deploy:auth', function () {
    if (askConfirmation('Are you sure to generate and upload the http auhtorization files?')) {

        // Get template file
        $template = 'templates/.htaccess.template';

        // Insert path from the deploy_path variable
        $replacement['{{ path }}'] = get('deploy_path');

        // Create temporary settings file from template
        $settings = file_get_contents($template);
        $settings = strtr($settings, $replacement);
        writeln('.htaccess created succesfuly');
        $tmpFilename = '.htaccess.tmp';
        file_put_contents($tmpFilename, $settings);

        // Upload files .htaccess and .htpasswd to server
        upload($tmpFilename, '{{release_path}}/.htaccess', ['options'=> ['--inplace']]);
        upload('./templates/.htpasswd', '{{release_path}}/.htpasswd', ['options'=> ['--inplace']]);

        // Delete temporary file

If all went well, when you call the task via the dep deploy:auth <yourhost> command, you should have a dialog asking for the credentials when you access your site.