How-To: Password Protect Apache Directories with .htaccess
This post was written on August 26, 2006 at, or around 4:17 am by Drew. This post is composed of 1,247 words from the English language and currently has 11 comments to its name. Additionally, this article is tagged under Management, Security, Sys Admin, UNIX/Linux and you can trackback to this article using this link. This post was last updated on Apr 4, 2008. Enough talk, carry on.
Have you ever wanted to let someone download a file or image from your website, but didn’t want to have the whole world know about, such as Google’s great search engine spiders? The robot.txt file only goes so far, personally I’d rather password protect my directories if I don’t want them crawled. It’s a great way to set up realms that only the privileged few know about. I’ll walk you through the very simple steps of doing so, and showing you what gets added on the server side.
Grab Your Tools
We will need a couple of things to allow us to set up a password protected directory using Apache. First off we need an operating system. I am going to presume that you already have Apache 2.x installed on your server (operating system). If you are like me, you will also need to download PuTTY, and a network connection to your server. Of course, you may use the direct system console if you would like also. I am using Debian 3.1; you can download it here. Debian syntax is alot like Fedora Core’s, so it should seem pretty straight forward if you are familiar with Fedora Core or Red Hat Linux.
Our Goal
First off, let’s summarize what we have, and what we want. We have a webserver called localhost and we want to password-protect the directory secret. The problem is, when we go to http://localhost/secret we get right in, no password and Google (and other search engines) can crawl your directory. Note: This isn’t really an article on how to avoid search engine crawling, it’s really about setting up password protective directories using Apache (as the title states); and yes I know that you can use robot.txt.
Dig Into Apache
Apache on Debian is usually found in /etc/apache2 (this is where Apache is installed) and the www root is usually found in /var/www (this is where your HTML/CSS/PHP files go). This article will only go into the default installation of Apache 2.x, so if you go to /etc/apache2/sites-enabled you should see a file called 000-default; this is the file we need to edit:
Apache Site Configuration
<virtualhost *>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<directory />
Options FollowSymLinks
AllowOverride none
<directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# RedirectMatch ^/$ /apache2-default/
</virtualhost>
After editing 000-default, if you aren’t familiar with the Nano editor, hold down Ctrl+O and press enter to write the file and then hold down Ctrl+X to exit.
After changing any part of Apache’s core files, or configuration files, you must restart Apache:
BASH
/etc/init.d/apache2 restart
Configuring .htaccess and .htpasswd
Before we actually configure .htaccess and .htpasswd, we need to create the secret directory. So, go to /var/www and create the directory called secret and add a default index.html file. To do this:
BASH
cd /var/www
mkdir secret
touch index.html
Now, still before we configure .htaccess and .htpasswd, we need to add some text to index.html. Open index.html with Nano:
BASH
nano index.html
Now add this XHTML code to index.html:
XHTML
< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Password-Protected Area</title>
</head>
<body>
<h1>Password-Protected Area</h1>
<p>You are authorized.</p>
</body>
</html>
Now exit out of Nano (don’t forget to save your work!!). It’s now time to configure .htaccess and .htpasswd.
Configuring .htaccess
.htaccess is the file that tells apache what name, type of authentication, where the password file is located at, and what users are allowed to access the directory. So let’s create the .htaccess file (note the dot (.) is required):
BASH
touch .htaccess
Now let’s add the following to the file using Nano (you should know how to open a file with Nano now by yourself):
Apache Code
AuthName "My Password-Protected Area - Authorized Users Only"
AuthType Basic
AuthUserFile /var/www/secret/.htpasswd
require user secretuser
AuthName is used to create a realm name. Anyone sees this; it’s a descriptive way of letting you’re users know what this protected area is. Note: If spaces are used, you must encapsulate the whole AuthName value in quotes.
AuthType is the authentication type used for the current directory. Basic authentication is the only one that is currently implemented.
AuthUserFile is the absolute path to the .htpasswd file. This can be any name really, but I have seen the standard set to be .htpasswd.
require user [username] is the set of users that can be used to access the directory. You actually define the usernames and passwords in the .htpasswd file.
Configuring .htpasswd
.htpasswd is the file that tells Apache what the username and corresponding password of each user is. By default, the passwords are encrypted using the CRYPT algorithm. Also note that we will use -c option to create the file. If you use this each time to add a user, it will wipe out preexisting users, so please be careful. Now, let’s create the .htpasswd file (note the dot (.) is required):
BASH
htpasswd -cs .htpasswd secretuser
We have just created a .htpasswd file with the username of secretuser (-c) and we are using the SHA encryption algorithm for the password (-s). You actually create the password after you run this command; the system will prompt you for a fresh password and then have you re-confirm your password for verification. After you have added your new password, your .htpasswd file should look something similar to this (but not quite, since I am probably using a different password than you are):
.htpasswd File
secretuser:{SHA}E/A6F/9rt3w1dIBCIjsm3wbqutk=
Congrats, you have now successfully configured your .htaccess and .htpasswd files. You should now get a password prompt upon going to the URL http://localhost/secret. You should login using a corresponding user and password that you defined with the htpasswd command:
Discussion always soothes thy heart.
Great instructions.. I haven’t set this up in years and it was a snap using your howto.
Thanks man.
Great! Glad I could help. It’s not the most “secure” soution, but sure does work for a temporary solution.
Either way, its a great way of password protecting directories, without having root access to the server.
Again, thanks!
Nice how-to. I have a question… what if I want to let some users get into a directory but just one of them into another directory inside?
Thanks for the how-to, anyway ;)
this one didnt work for me. i got a password prompt but when trying to login i got internal server errors.
Hello Jeremy,
This can easily be due to Apache configuration, that is probably not due to my little tutorial here. I make sure all of my articles are pretty straight forward and very wordy to insure that I get all the detail out.
What OS are you running, and what version of Apache? If you could contact me via the Contact Me page with your Apache configuration, I might be able to help you. Internal Server Errors (500) are usually due to a configuration on the actual web server, and might not be due to my article, especially since you stated that you get the password prompt, and once it lets you in, it gives you internal server errors. This statement actually indicates that my article deemed a success and it did work.
Please let me know how I can further help you out with these errors. Drop me a line or something; I’d love to help.
Regards,
Drew
Nice read. Thnx for the detailed write-up.
Thanks for the kinda words. Feel free to send me other ideas. I have plenty more to come, actually, but I’ve been rather busy. I’ll see if I can get some of my ideas off the paper and onto the site.
Thanks,
Drew
Finally, a useful article. I always edited httpd.conf, but not sites-enabled. Thanks a lot!
[...] configuration, you told Apache to use the .htpasswd.users file in the /var/www directory. You can follow my other article on how to configure .htaccess. If you plan on storing your .htaccess/.htpasswd files somewhere else, [...]