Password Protect a Directory with Apache

Leave your reply

Learn how to password protect a directory using Apache's basic HTTP authentication. This method will allow you to set up a restricted area of your website which will require a username and password for access.

Requirements

  • A Cloud Server running Linux (CentOS 7 or Ubuntu 16.04).
  • Apache web server installed and running.

For more information on setting up an Apache website, see our articles on the topic.

Create the Password File

The first step is to create a password file which Apache will use to check the username and password. This file will be named .htpasswd and put in a secure location: /etc/apache2 on Ubuntu 16.04, and /etc/httpd on CentOS 7.

The htpasswd command can be used to either create a password file or add an entry to it. For this first time, we will use the -c flag to create the file and add the username jdoe:

  • CentOS 7:sudo htpasswd -c /etc/httpd/.htpasswd jdoe
  • Ubuntu 16.04:sudo htpasswd -c /etc/apache2/.htpasswd jdoe

You will be prompted to enter and confirm the new password for the user.

Add a New User to an Existing File

To add a new user to an existing password file, use the same command without the -c flag. For example, to add a user janedoe the command is:

  • CentOS 7:sudo htpasswd /etc/httpd/.htpasswd janedoe
  • Ubuntu 16.04:sudo htpasswd /etc/apache2/.htpasswd janedoe

You will be prompted to enter and confirm the new password for the user.

Enable Directory Restriction

Before you can restrict a directory, you will need to configure Apache to allow .htaccess files.

CentOS 7

Open the main Apache configuration file for editing with the command:

sudo nano /etc/httpd/conf/httpd.conf

Scroll down to the <Directory> section for "/var/www/html" and change AllowOverride to All.

Save and exit the file. Then restart Apache for the changes to take effect:

sudo systemctl restart httpd

Ubuntu 16.04

Open the main Apache configuration file for editing with the command:

sudo nano /etc/apache2/apache2.conf

Scroll down to the <Directory> section for "/var/www" and change AllowOverride to All.

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

Save and exit the file. Then restart Apache for the changes to take effect:

sudo systemctl restart apache2

Create the Restricted Area

Go to the directory you want to protect. For example:

cd /var/www/html/admin

Create a file called .htaccess and open it for editing:

sudo nano .htaccess

Put the following into this file:

CentOS 7:

AuthType Basic
AuthName "Password Required"
Require valid-user
AuthUserFile /etc/httpd/.htpasswd

Ubuntu 16.04:

AuthType Basic
AuthName "Password Required"
Require valid-user
AuthUserFile /etc/apache2/.htpasswd

Test the Authentication

To test the authentication, visit the password-protected URL in a browser. You will get a pop-up which prompts you to enter a username and password to continue.

Note: If your browser has a pop-up blocker, you will need to configure it to allow pop-ups for this domain.