This website is completely static; it does not use an application server, CMS or any server side rendering like PHP. However, I want the family blog to require some means of authentication in order to access it. HTTP Basic Authentication with an .htaccess file should suffice to achieve this.

Also, I wanted to be able to completely override the published files. Therefore, Hugo has to create the .htaccess file.

I solved that by putting the target .htaccess files into my Hugo site’s /static/the-family-blog/ folder like so:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
# taken from https://wiki.uberspace.de/webserver:htaccess#verzeichnisschutz_mit_erzwungenem_https
# Always redirect to HTTPS
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{ENV:HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

# Enable HTTP Basic Auth
AuthType Basic
AuthName "The Family Blog"
# This file _should_ be outside the document root 
AuthUserFile /var/www/virtual/mikeherzog_de/.htuser

Order Deny,Allow
Deny from all
Satisfy Any
# Require HTTPS ...
Allow from env=!HTTPS
# ... and a valid user
Require valid-user

This configuration requires a /var/www/virtual/mikeherzog_de/.htuser file (line 12) that contains my valid users. This file should lie outside the document root folder, to be in-accessible from the web.