Lighttpd setup a password protected directory (directories)

If you require authentication on certain directories using the Lighttpd web server, you can use Lighttpd’s mod_auth module. It allows you to protect any directory in web server with access restrictions (just like Apache’s password protected directory) .

Lighttpd supports both basic and digest authentication methods. Now consider following sample setup:

  1. Domain name:
  2. Directory (DocRoot) to protect with a password: /home/lighttpd/
  3. Username: vivek
  4. Lighttpd password file: /home/lighttpd/.lighttpdpassword (this file should be outside default http document root)

How do I use Basic authentication method?

Easy to implement and password stored in cleartext format using files. If you are going to use this method make sure you use SSL (Secure Socket Layer) connection/encryption.

Step #1: Open /etc/lighttpd/lighttpd.conf file

Make sure mod_auth is loaded:
server.modules += ( "mod_auth" )

Now add following three directives:
auth.debug = 2
auth.backend = "plain"
auth.backend.plain.userfile = "/home/lighttpd/.lighttpdpassword"


  • auth.debug = 2 : Specify debug level (0 turns off debug message, 1 for authentication ok message and 2 for detailed/verbose debugging message). This is useful for troubleshooting authentication problem. It logs message in access.log and error.log files
  • auth.backend = “plain” : You are using plain text backend (other options are ldap, htpasswd and others)
  • auth.backend.plain.userfile = “/home/lighttpd/.lighttpdpassword” : Filename of the username:password storage

Next, you need specify which directory you want to password protect. For example, consider directory /home/lighttpd/ directory. Find out your domains virtual hosting section ( and append following text:
auth.require = ( "/docs/" =>
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=vivek"


  • auth.require = ( “/docs/” => : Directory name
  • “method” => “basic”, : Authentication type
  • “realm” => “Password protected area”, : Password realm/message
  • “require” => “user=vivek” : Only user vivek can use /docs/

At the end, your configuration should read as follows:
$HTTP["host"] == "" {
server.document-root = "/home/lighttpd/"
server.errorlog = "/var/log/lighttpd/"
accesslog.filename = "/var/log/lighttpd/"
auth.require = ( "/docs/" =>
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=vivek"

Save and close the file.

Step # 2: Create a password file

Create a plain text username (vivek) and password file:
# vi /home/lighttpd/.lighttpdpassword

Append username:password:


  • vivek – is the name of a user. Please note that do not use a system user stored in /etc/passwd file. It is recommended that you use a different username that only exists for the purpose of authenticating password protected directories.
  • mysecretepassword – is the password for user vivek (must be in clear text format for plain text method)

Save and close the file. Make sure file /home/lighttpd/.lighttpdpassword is readable by lighttpd:
# chown lighttpd:lighttpd /home/lighttpd/.lighttpdpassword

Finally, restart lighttpd server:
# /etc/init.d/lighttpd restart

Step # 3: Test your configuration

Fire your browser and point a web browser to or http://localhost/docs/ or http://ip-address/docs. You should be prompted for a username and password.

This way you can restrict access to certain areas of your website. Make sure you also use SSL encryption for authenticating users and secure digest authentication.

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
56 comments… add one
  • Dane Mar 7, 2016 @ 1:39

    if auth is applied to / is there a way to override this to allow anonymous access to a specific file or paths?

  • Raj Dec 30, 2014 @ 17:38

    Thanks for the crisp and clear post. I could get the password protection for the directory but the login credentials currently entered on a popup window. I can create a login page then do I need to enter credentials twice in popup window and login page? Were you able to establish sessions for the user logged in such as automatically logged out after certain inactivity?

  • kulland Mar 30, 2014 @ 0:49

    How would i set it to ask to the user/pass every time from the same computer or session?

  • barul Jan 13, 2014 @ 11:59

    Thanks a lot for this post! It still works today without any settings change.

  • Nypias Aug 18, 2012 @ 21:59

    Thanks a lot for this explanation ;D

  • shahzaib Jun 23, 2012 @ 10:50

    does lighttpd supports subdirectories for secure streaming?

  • michiel Dec 8, 2011 @ 12:40


    I got plain authorization working, but it seems there is a very long timeout before you have to enter login&password again. Is there a way to set it to about 30 minutes or so?

  • przemek Jun 16, 2011 @ 7:22

    what is domain name? i got index.php as my website in ww folder and how i do domain name?

  • kurt krueckeberg Apr 5, 2011 @ 14:20

    Great article. The most helpful one I’ve found.

  • Chalai Apr 30, 2010 @ 1:10

    How to restrict access to a folder/subfolder only?
    Using Apache I can restrict user access to a folder/subfolder only by setting a value for open_basedir and include_path, how do I do that with Lighttpd?

  • mahal24 Apr 15, 2010 @ 6:02

    Can somebody please tell me if Lighttpd supports “GROUP” authentication and if it does how do you configure it? Thanks in advance!

  • Tapas Mallick Mar 29, 2010 @ 9:53

    I believe there should have a post on “Access restriction based on IP/Subnet Address” (like: order allow, deny; allow from; deny from all; directives normally used in apache)

  • lopes Mar 1, 2010 @ 22:44


    How I can use the same password and user for two folder? How I can setup this?

    Many thanks

  • Lopes Mar 1, 2010 @ 22:33

    Thanks Vivek!

    Just a question how can I protect two folders? Using same user and password?

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.