introductioninstalling redhatunix commandsediting filesssh
sitemapapacheftptcp/ipmisc-notesresources

back  main  next
password protection with .htaccess and apache

Password protecting a web site directory can be done with a .htaccess file, a minor tweak to apache's httpd.conf file and a text file for a user database.

first - In the directory that you wish to password protect you need to create a text file called .htaccess. Below is an basice example .htaccess file:

AuthUserfile /pathname/test
AuthName "insert descriptive name here"
AuthType Basic
<Limit GET>
Require valid-user
</Limit>

I think that most of the contents of the .htaccess file look pretty self explanitory. But I want to point out that "Require" can take other arguments, like, "Require user username" would allow only the user named username.

second - Edit apache's httpd.conf file. This step needs to be done logged in as root. Under "Section 2: 'Main' server configuration" locate "AllowOverride none" and change to AllowOverride Authconfig FileInfo. See below example:

<Directory />
    Options FollowSymLinks
    AllowOverride Authconfig FileInfo
</Directory>

If the apache server that you are using has more than one virtual hosts you would add the above info to the virtualhost that you want to protect. The below example is using a .htaccess file in the direcory /www/wwwroot/test, as you can see by looking at the directory section. Of course the location of the .htaccess file corresponds to the location specified in the directory section below.

<VirtualHost 155.99.132.11>
ServerName       some.domainname.com
ServerAdmin       user@something.com
DocumentRoot       /www/wwwroot/test
ErrorLog      /www/wwwroot/logs/test_error.log
CustomLog      /www/wwwroot/logs/test_access.log combined
<Directory       /www/wwwroot/test>
AllowOverride       Authconfig FileInfo
</Directory>
</VirtualHost>

third - Create the user - database. Since .htaccess password restrictions have nothing to do with users on your linux box, at least in my example, you need to create a database with usernames and passwords. This is actually really simple. I do this logged in as root as well. This will be using a program that is part of your apache install called htpasswd. I am assuming that apache is installed in /usr/local/apache for this example. So, logged in as root create a directory /htusers and then issue the below command.

# /usr/local/apache/bin/htpasswd -bc /pathname/test username password

This will create a file called test in the directory /pathname and in the file will be a user "username" with an encrypted password that is "password". Check out the options of htpasswd to see what the -bc was for.

# /usr/local/apache/bin/htpasswd --help

This will list the options that can be issued with htpasswd. If you look you will see that I selected to create a new file and use the password from the command line instead of asking for it. If you are going to add more than one user, do not use the "c" option on anything but the first user as it will create a new file overwriting what was in place.

Now check your protected website. If you go to the site that was set up you should be prompted to give a username and password before entering.