There are many ways you can password protect directories
under Apache web server. This is important to keep your file privates from both
unauthorized users and search engines (when you do not want to get your data
indexed). Here you will see the basics of password protecting a directory on your
server. You can use any one of the following method:
- Putting authentication directives in a <Directory> section, in your main server configuration httpd.conf file, is the preferred way to implement this kind of authentication.
- If you do not have
access to Apache httpd.conf file (for example shared hosting) then with
the help of file called .htaccess you can create password protect
directories. .htaccess file provide a way to make configuration changes on
a per-directory basis.
In order to create
apache password protected directories you need:
Ø
a
password file
Ø
and
Directory name which you would like to password protect (/var/www/html/private)
Step 1: Make
sure Apache is configured to use .htaccess file
You need to have AllowOverride AuthConfig directive in
httpd.conf file in order for these directives to have any effect. Look for
DocumentRoot Directory entry. In this example, our DocumentRoot directory is
set to /var/www/html/private. Therefore, my entry in httpd.conf looks like as
follows:
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
Save the file and restart Apache
# service httpd restart
Step 2: Create a password
file with htpasswd
htpasswd command is used to create and update the flat-files
(text file) used to store usernames and password for basic authentication of
Apache users. General syntax:
# htpasswd -c password-file username
Where,
- -c: Create the password-file. If password-file already exists, it is rewritten and truncated.
- Username: The username to create or update in password-file. If username does not exist in this file, an entry is added. If it does exist, the password is changed.
Create directory outside apache document root, so that only
Apache can access password file. The password-file should be placed somewhere
not accessible from the web. This is so that people cannot download the
password file:
# mkdir -p /home/password/
Add new user called marshal
# htpasswd -c /home/password/.htpasswd marshal
Make sure “/home/password/.htpasswd” file is readable by
Apache web server. If Apache cannot read your password file, it will not
authenticate you. You need to setup a correct permission using chown command.
Now allow apache user apache to read our password file:
# chown apache:apache /home/password/.htpasswd # chmod 0660 /home/password/.htpasswd
Create a directory /var/www/html/private if it does not
exist:
# mkdir -p /var/www/html/private
Create .htaccess file using text editor:
# cd /var/www/html/private # vi .htaccess
Add following text:
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/password/.htpasswd
Require user marshal
Save file and exit to shell prompt.
Step 3: Test your
configuration
Fire your browser type url http://yourdomain.com/private or
http://localhost/private or http://ip-address/private
When prompted for username and password please supply
username marshal and password. You can add following lines to any file
<Directory> entry in httpd.conf file:
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/password/.htpasswd
Require user marshal
To change or setup new user use htpasswd command again.
