Securing Gallery

Basic Authentication
Additional Album Security

Basic Authentication

Basic HTTP Authentication allows you to add a second layer of security to your Gallery. It also prevents people being able to "hotlink" albums directly from your albums directory. The disadvantage is that basic HTTP authentication isn't compatible with Gallery authentication. This means that if you want to give user permissions with the Gallery authentication system (e.g. to add pictures) they will have to login twice. As such, this may not be the best solution for everyone, though it is the most secure.

Example of Basic HTTP Authentication (Mozilla)

Setting up basic authentication is relatively simple. It can get a little complex or annoying if you don't do certain things, however. For instance, I recommend putting your albums directory inside your main Gallery directory, as a sub-directory. This makes it easier to protect. If it's not already there, it's easy to move, just move it and rerun the configuration wizard.

Now that you have the preliminaries, edit the .htaccess file in your gallery directory. Add the following

    AuthName "My Gallery"
    AuthUserFile /path/to/gallery/directory/.htpasswd
    AuthType Basic
    require valid-user

Now you need to create the .htpasswd file which will contain usernames and passwords. If you have shell access, use the htpasswd command, e.g. htpasswd -c /path/to/gallery/directory/.htpasswd [username] After you add one username, run the same command for the next user, without the -c flag.

If you don't have shell access, you'll have to create the .htpasswd file manually. There are some web-based pages that will help you, for instance this page. Enter the username and password, and add it to the .htpasswd file in your Gallery directory. Each username and password crypt should be on a separate line.

After you have that setup, basic authentication should work!


Because you edited your .htaccess file in your Gallery directory, you will have to re-add these lines if you re-run the configuration wizard.

Additional Album Security

Because of Gallery 1.x's design, the albums directory must be in a publicly accessible directory. So, some people who want extra privacy will want to prevent spiders, search servers, and hotlinkers from stealing the images and bandwidth, but still grant regular users access.

To do this, we will use Apache's mod_rewrite module. Your server must have this module installed to do this. See the Apache documentation for more information. Additionally, if when you installed Gallery the config wizard instructed you to add lines to your httpd.conf to allow .htaccess files to work, then you should review those lines and add something similar to httpd.conf for your albums directory. Otherwise, your changes to .htaccess may not have any effect.

Basically, what we'll do is only allow Apache to serve the images to people who are coming from your site. To do this, we'll check the referrer (misspelled in the HTTP RFC as "referer"). To do this, add the following lines to a .htaccess file in your albums directory NOT YOUR GALLERY DIRECTORY (you will have to create the .htaccess file in your albums directory, unless you've added something before).

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{HTTP_REFERER} !^*$ [NC]
        RewriteCond %{REMOTE_HOST} ^.*\$  [NC]
	RewriteRule ^/albums/.*\.(jpg|gif|avi|png)$  -  [F]


Obviously, change to the real address of your gallery directory. ^/albums/.*\.(jpg|gif|avi|png)$ is the pattern to your albums directory. It uses regular expressions. You can find more information about regular expressions by searching Google or buying a book. The line regarding exempts addresses coming from from the ban. This allows users to still be able to use ShutterFly.