There are many ways you can password protect directories under an Apache web server. This is important to keep your file privates from both unauthorized users and search engines (when you do not want to get your data indexed). In this tutorial you will see the basics of password protecting a directory on your server. You can use any one of the following method:[donotprint]
| Tutorial details | |
|---|---|
| Difficulty | Easy (rss) |
| Root privileges | Yes |
| Requirements | None |
| Time | N/A |
- Putting authentication directives in a <Directory> section, in your main server configuration httpd.conf file, is the preferred way to implement this kind of authentication.
- If you do not have access to Apache httpd.conf file (for example shared hosting) then with the help of file called .htaccess you can create password protect directories. .htaccess file provide a way to make configuration changes on a per-directory basis.
In order to create apache password protected directories you need:
- Password file
- And Directory name which you would like to password protect (/var/www/docs)
Step # 1: Make sure Apache is configured to use .htaccess file
You need to have AllowOverride AuthConfig directive in httpd.conf file in order for these directives to have any effect. Look for DocumentRoot Directory entry. In this example, our DocumentRoot directory is set to /var/www. Therefore, my entry in httpd.conf looks like as follows:
<Directory /var/www> Options Indexes Includes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny Allow from all </Directory>
Save the file and restart Apache
If you are using Red Hat /Fedora Linux:
# service httpd restart
If you are using Debian Linux:
# /etc/init.d/apache-perl restart
Step # 2: Create a password file with htpasswd
htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. General syntax:
htpasswd -c password-file username
Where,
- -c : Create the password-file. If password-file already exists, it is rewritten and truncated.
- username : The username to create or update in password-file. If username does not exist in this file, an entry is added. If it does exist, the password is changed.
Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:
# mkdir -p /home/secure/
Add new user called vivek
# htpasswd -c /home/secure/apasswords vivek
Make sure /home/secure/apasswords file is readable by Apache web server. If Apache cannot read your password file, it will not authenticate you. You need to setup a correct permission using chown command. Usually apache use www-data user. Use the following command to find out Apache username. If you are using Debian Linux use pache2.conf, type the following command:
# grep -e '^User' /etc/apache2/apache2.conf
Output:
www-data
Now allow apache user www-data to read our password file:
# chown www-data:www-data /home/secure/apasswords
# chmod 0660 /home/secure/apasswords
If you are using RedHat and Fedora core, type the following commands :
# grep -e '^User' /etc/httpd/conf/httpd.conf
Output:
apache
Now allow apache user apache to read our password file:
# chown apache:apache /home/secure/apasswords
# chmod 0660 /home/secure/apasswords
Now our user vivek is added but you need to configure the Apache web server to request a password and tell the server which users are allowed access. Let us assume you have directory called /var/www/docs and you would like to protect it with a password.
Create a directory /var/www/docs if it does not exist:
# mkdir -p /var/www/docs
Create .htaccess file using text editor:
# cd /var/www/docs
# vi .htaccess
Add following text:
AuthType Basic AuthName "Restricted Access" AuthUserFile /home/secure/apasswords Require user vivek
Save file and exit to shell prompt.
Step # 3: Test your configuration
Fire your browser type url http://yourdomain.com/docs/ or http://localhost/docs/ or http://ip-address/docs
When prompted for username and password please supply username vivek and password. You can add following lines to any file <Diretory> entry in httpd.conf file:
AuthType Basic AuthName "Restricted Access" AuthUserFile /home/secure/apasswords Require user vivek
To change or setup new user use htpasswd command again.
Troubleshooting
If password is not accepted or if you want to troubleshoot authentication related problems, open and see apache access.log/error.log files:
Fedora/CentOS/RHEL Linux log file location:
# tail -f /var/log/httpd/access_log
# tail -f /var/log/httpd/error_log
Ubuntu/Debian Linux Apache 2 log file location:
# tail -f /var/log/apache2/access.log
# tail -f /var/log/apache2/error.log
See also:
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 36 comments... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Awesome article. Saved hours for me !
Thanks a lot! :) worked like a charm for me!
Didn’t have to change the user privileges for the file though.
You can add option “s” to make the password using SHA instead of the default crypt which only allow eight (8) characters long passwords.
The command becomes:
You will notice that the file now has {SHA} in password line.
If you want too add user to already created file, remove the c options
How do I add additional users? Every time I try it tells me it works but then I can’t use the new credentials to log in.
For some reason I don’t seem to be able to make it work. I have made all the settings, in cPanel I can see that the folder is password protected and I have a username but when I access the folder via http, it returns a 404 error. Why is that?
Vivek, It worked the first try!!!
Thank You very much
hi team,
i have setup apache password protect but not able to login with user which i have crteated
plz help
Thanks man that’s was very helpful ^^thanks a gain
Thanks this tips are very used to me, its all are working in my box and saved my time also.
very helpful..worked fynn…thanks alot.. :)
Hi Vivek,
I followed all the steps.. Now when I open apache link, it is asking username and password, if I enter the username and password, it does not take it.. Just keep asking..
Please help me..
Thanks
very helpful!! really good stuff about security!!!
can we block specific user from perticular ip address in apache?
how can we do that?
Thanks & Regards
Vinay Gupta
How do I get different user names and passwords for different sub-directories ? I have multiple sites arranged like this: /site1, /site2, and so on. The problems are: (1) Once my computer logs into one of these sites, additional browser sessions on my computer can access any of the other sites without having to login, (2) Once I have connected to multiple of these sites, logging out from any one of them logs me out from all of them. I need them all to be independent of one another.
Some of my text was left out. All of these sites are on the same server and have the same document root.
I cannot get the username and password page shown above, the one in docs, to display. Is there another location ?