Password protect a directory with Apache

Learn how to password protect a directory using Apache's basic HTTP authentication. This method will allow you to set up a restricted area of your website which will require a username and password for access.

    Requirements

    • A Cloud Server running Linux (CentOS 7 or Ubuntu 16.04).
    • Apache web server installed and running.

    vServer (VPS) from IONOS

    Low-cost, powerful VPS hosting for running your custom applications, with a personal assistant and 24/7 support.

    100 % SSD storage
    Ready in 55 sec.
    SSL certificate

    Create the password file

    The first step is to create a password file which Apache will use to check the username and password. This file will be named .htpasswd and put in a secure location: /etc/apache2 on Ubuntu 16.04, and /etc/httpd on CentOS 7.

    The htpasswd command can be used to either create a password file or add an entry to it. For this first time, we will use the -c flag to create the file and add the username jdoe:

    • CentOS 7:sudo htpasswd -c /etc/httpd/.htpasswd jdoe
    • Ubuntu 16.04:sudo htpasswd -c /etc/apache2/.htpasswd jdoe

    You will be prompted to enter and confirm the new password for the user.

    Add a New User to an Existing File

    To add a new user to an existing password file, use the same command without the -c flag. For example, to add a user janedoe the command is:

    • CentOS 7:sudo htpasswd /etc/httpd/.htpasswd janedoe
    • Ubuntu 16.04:sudo htpasswd /etc/apache2/.htpasswd janedoe

    You will be prompted to enter and confirm the new password for the user.

    Enable directory restriction

    Before you can restrict a directory, you will need to configure Apache to allow .htaccess files.

    CentOS 7

    Open the main Apache configuration file for editing with the command:

    sudo nano /etc/httpd/conf/httpd.conf

    Scroll down to the <Directory> section for "/var/www/html" and change AllowOverride to All.

    Save and exit the file. Then restart Apache for the changes to take effect:

    sudo systemctl restart httpd

    Ubuntu 16.04

    Open the main Apache configuration file for editing with the command:

    sudo nano /etc/apache2/apache2.conf

    Scroll down to the <Directory> section for "/var/www" and change AllowOverride to All.

    <Directory /var/www/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
    </Directory>

    Save and exit the file. Then restart Apache for the changes to take effect:

    sudo systemctl restart apache2

    Create the restricted area

    Go to the directory you want to protect. For example:

    cd /var/www/html/admin

    Create a file called .htaccess and open it for editing:

    sudo nano .htaccess

    Put the following into this file:

    CentOS 7:

    AuthType Basic
    AuthName "Password Required"
    Require valid-user
    AuthUserFile /etc/httpd/.htpasswd

    Ubuntu 16.04:

    AuthType Basic
    AuthName "Password Required"
    Require valid-user
    AuthUserFile /etc/apache2/.htpasswd

    Test the authentication

    To test the authentication, visit the password-protected URL in a browser. You will get a pop-up which prompts you to enter a username and password to continue.

    Note

    If your browser has a pop-up blocker, you will need to configure it to allow pop-ups for this domain.