Authentication / Password Protection in Apache

There are many ways you can password protect directories under Apache web server. This is important to keep your file privates from both unauthorized users and search engines (when you do not want to get your data indexed). Here you will see the basics of password protecting a directory on your server. You can use any one of the following method:

1. Putting authentication directives in a <Directory> section, in your main server configuration httpd.conf file, is the preferred way to implement this kind of authentication.
2. If you do not have access to Apache httpd.conf file (for example shared hosting) then with the help of file called .htaccess you can create password protect directories. .htaccess file provide a way to make configuration changes on a per-directory basis.

In order to create apache password protected directories you need:

• a password file
• and directory which you would like to password protect (/var/www/html/private)

Step 1: Make sure Apache is configured to use .htaccess file

You need to have AllowOverride AuthConfig directive in httpd.conf file in order for these directives to have any effect. Look for DocumentRoot Directory entry. In this example, our DocumentRoot directory is set to /var/www/html/private. Therefore, my entry in httpd.conf looks like as follows:

<Directory /var/www/html/private>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>

Save the file and restart Apache

# service httpd restart

Step 2: Create a password file with htpasswd

htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. General syntax:

htpasswd -c password-file username

Where,

• -c : Create the password-file. If password-file already exists, it is rewritten and truncated.
• username : The username to create or update in password-file. If username does not exist in this file, an entry is added. If it does exist, the password is changed.

Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:

# mkdir -p /home/password/

Add new user called john

# htpasswd -c /home/password/.htpasswd john 

Make sure "/home/password/.htpasswd" file is readable by Apache web server. If Apache cannot read your password file, it will not authenticate you. You need to setup a correct permission using chown command.

Now make the user apache to read our password file:


# chown apache:apache /home/password/.htpasswd
# chmod 0660 /home/password/.htpasswd


Create a directory /var/www/html/private if it does not exist:

# mkdir -p /var/www/html/private


Create .htaccess file using text editor:

# cd /var/www/html/private
# vi .htaccess

Add following text:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/password/.htpasswd
Require user john 

Save file and exit to shell prompt.

Step 3: Test your configuration

Fire your browser type url http://yourdomain.com/private or http://localhost/private or http://ip-address/private

 When prompted for username and password please supply username john and password.

You can add following lines to any file's <Directory> entry in httpd.conf file:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/password/.htpasswd
Require user john

To change or setup new user use htpasswd command again.

Widget for blogger by Way2Blogging