Uncategorized

Password Authentication with Apache using .htaccess file

How to enable password authentication with apache using .htaccess file

 

Prerequisites

To get started, you will need access to any Ubuntu or RHEL based server. You will need a non-root user with sudo privileges in order to perform administrative tasks.

Install the Apache Utilities Package

In order to create the file that will store the passwords needed to access our restricted content, we will use a utility called htpasswd. This is found in the apache2-utils package within the Ubuntu repositories.

Update the local package cache and install the package by typing this command. We will take this opportunity to also grab the Apache2 server in case it is not yet installed on the server:

  • sudo yum update
  • sudo apt-get install apache2 apache2-utils

Create the Password File

We now have access to the htpasswd command. We can use this to create a password file that Apache can use to authenticate users. We will create a hidden file for this purpose called .htpasswd within our /etc/apache2 configuration directory.

The first time we use this utility, we need to add the -c option to create the specified file. We specify a username (user1 in this example) at the end of the command to create a new entry within the file:

sudo htpasswd -c /etc/apache2/.htpasswd user1

You will be asked to supply and confirm a password for the user.

Leave out the -c argument for any additional users you wish to add:

  • sudo htpasswd /etc/apache2/.htpasswd another_user

If we view the contents of the file, we can see the username and the encrypted password for each record:

  • cat /etc/apache2/.htpasswd
Output
user1:$apr1$lzxsIfXG$tmCvCfb49vpPFwKGVsuYz.
another_user:$apr1$p1E9MeAf$kiAhneUwr.MhAE2kKGYHK.

Configuring Access Control with .htaccess Files

If you wish to set up password protection using .htaccess files instead, you should begin by editing the main Apache configuration file to allow .htaccess files:

  • sudo nano /etc/apache2/apache2.conf

Find the <Directory> block for the /var/www directory that holds the document root. Turn on .htaccessprocessing by changing the AllowOverride directive within that block from “None” to “All”:

/etc/apache2/apache2.conf
. . .

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

. . .

Save and close the file when you are finished.

Next, we need to add an .htaccess file to the directory we wish to restrict. In our demonstration, we’ll restrict the entire document root (the entire website) which is based at /var/www/html, but you can place this file in any directory you wish to restrict access to:

  • sudo nano /var/www/html/.htaccess

Within this file, specify that we wish to set up Basic authentication. For the AuthName, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource, which means anyone who can verify their identity with a password will be allowed in:

/var/www/html/.htaccess
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Save and close the file. Restart the web server to password protect all content in or below the directory with the .htaccess file:

  • sudo service apache2 restart

Confirm the Password Authentication

To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt that looks like this:

authentication_required

If you enter the correct credentials, you will be allowed to access the content. If you enter the wrong credentials or hit “Cancel”, you will see the “Unauthorized” error page:

Apache2 unauthorized error

Conclusion

You should now have everything you need to set up basic authentication for your site. Keep in mind that password protection should be combined with SSL encryption so that your credentials are not sent to the server in plain text. To learn how to implement SSL certificate to use with Apache you can follow this guide.

3 thoughts on “Password Authentication with Apache using .htaccess file”

    1. You are welcome! It is not possible to only use password without adding a user since the authentication (basic auth in current context), usually always needs a username, as well as the credentials corresponding to that username. Since we are using htpasswd, this is how it is designed. You can read more towards the top section of this page.

Leave a Reply

Your email address will not be published. Required fields are marked *

17 + 9 =