I am a new Linux server sysadmin. How do I protect a directory in Apache web-server on a Linux operating systems?

There are many ways you can password protect directories under an Apache web server. This is important to keep your file privates from both unauthorized users and search engines (when you do not want to get your data indexed). In this tutorial you will see the basics of password protecting a directory on your server. You can use any one of the following method:
Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Apache on Linux or Unix
Est. reading time 5m

  1. Putting authentication directives in a <Directory> section, in your main server configuration httpd.conf file, is the preferred way to implement this kind of authentication.
  2. If you do not have access to Apache httpd.conf file (for example shared hosting) then with the help of file called .htaccess you can create password protect directories. .htaccess file provide a way to make configuration changes on a per-directory basis.

In order to create apache password protected directories you need:

  • Password file
  • And Directory name which you would like to password protect (/var/www/docs)

Are you using Nginx? See how to password protect directory with Nginx .htpasswd authentication

Make sure Apache is configured to use .htaccess file

You need to have AllowOverride AuthConfig directive in httpd.conf file in order for these directives to have any effect. Look for DocumentRoot Directory entry. In this example, our DocumentRoot directory is set to /var/www. Therefore, my entry in httpd.conf looks like as follows:

<Directory /var/www>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all

Save the file and restart the Apache web server:
If you are using Red Hat /Fedora Linux:

# service httpd restart
# or #
# systemctl restart httpd

If you are using Debian/Ubuntu Linux:

# /etc/init.d/apache2 restart
# OR #
# systemctl restart apache2

Create a password file with htpasswd

htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. General syntax:
htpasswd -c password-file username
# htpasswd /etc/apache2/.htaccess vivek


  • -c : Create the password-file. If password-file already exists, it is rewritten and truncated.
  • username : The username to create or update in password-file. If username does not exist in this file, an entry is added. If it does exist, the password is changed.

Setting up password authentication with Apache and .htaccess file

Create a new directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:

# mkdir -p /home/secure/

Add a new user called vivek:

# htpasswd -c /home/secure/apasswords vivek

Make sure /home/secure/apasswords file is readable by Apache web server. If Apache cannot read your password file, it will not authenticate you. You need to setup a correct permission using chown command. Usually apache use www-data user. Use the following command to find out Apache username. If you are using Debian Linux use apache2.conf, type the following command:
# grep -e '^User' /etc/apache2/apache2.conf


Now allow apache user called www-data to read our password file:
# chown www-data:www-data /home/secure/apasswords
# chmod 0660 /home/secure/apasswords

If you are using RedHat and Fedora core, type the following commands :
# grep -e '^User' /etc/httpd/conf/httpd.conf


Then allow apache user named apache to read our password file on RHEL/CentOS:
# chown apache:apache /home/secure/apasswords
# chmod 0660 /home/secure/apasswords

Now our user vivek is added but you need to configure the Apache web server to request a password and tell the server which users are allowed access. Let us assume you have directory called /var/www/docs and you would like to protect it with a password.

Create a directory /var/www/docs if it does not exist:
# mkdir -p /var/www/docs

Create .htaccess file using text editor:
# cd /var/www/docs
# vi .htaccess

Add following text:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/secure/apasswords
Require user vivek

Save file and exit to shell prompt.

Test your configuration

Fire your browser type url https://yourdomain-com/docs/ or http://localhost/docs/ or http://ip-address/docs

When prompted for username and password please supply username vivek and password. You can add following lines to any file <Diretory> entry in httpd.conf file:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/secure/apasswords
Require user vivek

To change or setup new user use htpasswd command again.


If password is not accepted or if you want to troubleshoot authentication related problems, open and see apache access.log/error.log files:

Fedora/CentOS/RHEL Linux log file location:
# tail -f /var/log/httpd/access_log
# tail -f /var/log/httpd/error_log

Ubuntu/Debian Linux Apache 2 log file location:
# tail -f /var/log/apache2/access.log
# tail -f /var/log/apache2/error.log

Summing up

You learned how to password protect Apache web server. See Apache documentation for more info.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 35 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
35 comments… add one
  • Anonymous Aug 13, 2006 @ 21:19

    is there any similar resource for setting this up on windows?

  • 🐧 nixcraft Aug 14, 2006 @ 3:09

    Do you want information for Apache or IIS server?

  • alka Mar 22, 2007 @ 6:21

    When i provide the username & password, it works fine. But when i try to again access something from the same location in the same browser , it does not promt fot the username & password.
    How can i do that?

  • 🐧 nixCraft Mar 22, 2007 @ 8:43


    Browser remembers your password/username for current running session. If you close browser it will again prompt for the same.


  • Jo Jun 30, 2007 @ 22:27

    I want use the Password Protect Directories for add user in automaticly whit a simple FORM PHP … Tanks for your good services :P

  • jason Dec 29, 2007 @ 18:19

    Thank you for great tips.
    I did as said in here and it works great.
    But, I have a question.
    The password length that works is only max 8 char.
    In other words, all I have to enter is the first 8 char for the password. After 8 ch, the characters are ignored.
    Is there any way to increase the password length?

    Thank you very much

  • 🐧 nixCraft Dec 30, 2007 @ 11:41


    You need to change password backend to mysql or ldap.

  • Mikhail Feb 29, 2008 @ 3:17

    Have the same problem with 8-char password, but didn’t found the solution. Is there any way to fix it, please, explain more detailed.

  • Joshua K Aug 17, 2008 @ 16:04

    I’ve gone through these steps on Ubuntu Hardy twice and it still doesn’t work for me. Is there something I’m missing?

  • Marian Vlad Oct 9, 2008 @ 17:58

    try htpasswd -m … ;) (and man htpasswd for more)

  • robert Jan 18, 2009 @ 19:43

    Sweet! Instructions worked great on my freebsd box. I am curious though: Why did you choose put the file in /home/secure/, instead of a etc directory? I followed your recommendation and made /home/secure/ and it works fine. I was just wondering if there was a reason one should not put it in /etc or /usr/local/etc/ ?

  • sim Jan 23, 2009 @ 8:10

    ThanXx very much m8 ..its work great ..

  • Raymond Aug 14, 2009 @ 15:25

    Change directive
    Require user vivek
    Requre valid-user

    will allow all users in the password file to access.

  • 3.grosz Oct 12, 2009 @ 8:32

    And now I figure it out. Thanks :)

  • etoshx Oct 23, 2009 @ 8:06

    ive followed the above instructions but when i try to open the site its giving me errors like “The website declined to show this webpage ,This website requires you to log in.” this what am getting in the httpd error logs “[error] [client XX.XX.XX.XX] client denied by server configuration: /var/www/html/site1/”

  • Jose Aug 18, 2010 @ 2:11

    Just a quick note to say thanks for the post. I’m developing a website on a new VPS with Rackspace. My existing host provider, HostGator, provides a web interface for configuring .htaccess files in protected directories. However, after I installed the my chosen Linux distro (Ubuntu 10.04) I had to install LAMP. So, basically, I’m working from the command line in a bare bones server.

    This post helped me configure password protection on my new bare bones server. Thanks again!

  • Junior Dec 4, 2010 @ 16:47

    awesome!!!! this works so well for me. I made multiply accounts for Secured directory and now are secured. Vivek you are the man thank you!

  • Junior Dec 4, 2010 @ 17:33

    Vivek everything works well on my box now… i made multiplier accoutn for diffrent directory with out a problem…my question is how can now make multiplier user id to access the same directory? I like to make about 5 user id in case one of the users id needs to be deleted or disable etc…

    Thank yuo for your help!

  • JB Jan 27, 2011 @ 18:41

    Set up SSL on apache2 Ubuntu. WOrks fine and prompts for password using http: but when you go the web server using https it does not prompt for a password. What configuration setting could be doing this?

  • Ritesh Jul 21, 2011 @ 11:15

    Awesome article. Saved hours for me !

  • Savio Sebastian Apr 25, 2012 @ 6:30

    Thanks a lot! :) worked like a charm for me!

    Didn’t have to change the user privileges for the file though.

  • Usama Akkad May 18, 2012 @ 18:43

    You can add option “s” to make the password using SHA instead of the default crypt which only allow eight (8) characters long passwords.
    The command becomes:

    # htpasswd -cs /home/secure/apasswords vivek

    You will notice that the file now has {SHA} in password line.

    If you want too add user to already created file, remove the c options

  • Philip Jul 30, 2012 @ 3:34

    How do I add additional users? Every time I try it tells me it works but then I can’t use the new credentials to log in.

  • Iosif Nov 29, 2012 @ 16:47

    For some reason I don’t seem to be able to make it work. I have made all the settings, in cPanel I can see that the folder is password protected and I have a username but when I access the folder via http, it returns a 404 error. Why is that?

  • Altaf Jan 5, 2013 @ 12:34

    Vivek, It worked the first try!!!
    Thank You very much

  • varun kumar Dec 6, 2013 @ 7:29

    hi team,

    i have setup apache password protect but not able to login with user which i have crteated

    plz help

  • Bahaddou Mohammed Mar 31, 2014 @ 17:28

    Thanks man that’s was very helpful ^^thanks a gain

  • ram rockzz Aug 14, 2014 @ 12:39

    Thanks this tips are very used to me, its all are working in my box and saved my time also.

  • akhil Oct 17, 2014 @ 7:48

    very helpful..worked fynn…thanks alot.. :)

  • Harry Dec 9, 2014 @ 10:41

    Hi Vivek,

    I followed all the steps.. Now when I open apache link, it is asking username and password, if I enter the username and password, it does not take it.. Just keep asking..

    Please help me..


  • Rainer Nov 20, 2015 @ 18:35

    very helpful!! really good stuff about security!!!

  • Vinay Gupta Jul 15, 2016 @ 8:23

    can we block specific user from perticular ip address in apache?
    how can we do that?

    Thanks & Regards
    Vinay Gupta

  • NewtownGuy Nov 21, 2016 @ 21:31

    How do I get different user names and passwords for different sub-directories ? I have multiple sites arranged like this: /site1, /site2, and so on. The problems are: (1) Once my computer logs into one of these sites, additional browser sessions on my computer can access any of the other sites without having to login, (2) Once I have connected to multiple of these sites, logging out from any one of them logs me out from all of them. I need them all to be independent of one another.

    • NewtownGuy Nov 21, 2016 @ 21:32

      Some of my text was left out. All of these sites are on the same server and have the same document root.

    • NewtownGuy Nov 21, 2016 @ 21:36

      I cannot get the username and password page shown above, the one in docs, to display. Is there another location ?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum