Table of Contents

Apache - Authentication - Basic Authentication

To restrict access to certain HTTP resources, create two files: .htaccess and .htpasswd (or equivalent per httpd.conf setting).


Configure Apache to allow .htaccess authentication.

By default Apache does not allow the use of .htaccess files.

Editing the Apache config file:

sudo vi /etc/httpd/conf/httpd.conf

Find the section that begins with <Directory “/var/www/html”>.

Change the line from AllowOverride none to AllowOverride AuthConfig.

/etc/httpd/conf/httpd.conf
AllowOverride AuthConfig

Save and close the file.


Create a password file with htpasswd

The htpasswd command is used to create and update the files used to store usernames and password for basic authentication of Apache users.

For example, create a .htpasswd file for user1.

sudo htpasswd -c /etc/httpd/.htpasswd user1

This will prompt to supply and confirm a password for user1.

WARNING: Only use -c the first time the file is created.

  • Do not use -c when another user is added in the future.

Create another user named user2:

sudo htpasswd /etc/httpd/.htpasswd user2

Display the username and encrypted password for each user

sudo cat /etc/httpd/.htpasswd

returns:

user1:$apr1$0r/2zNGG$jopiWY3DEJd2FvZxTnugJ/
user2:$apr1$07FYIyjx$7Zy1qcBd.B8cKqu0wN/MH1

Allow Apache to read the .htpasswd file

sudo chown apache:apache /etc/httpd/.htpasswd
sudo chmod 0660 /etc/httpd/.htpasswd

Configure Apache password authentication

Create a .htaccess file in the web directory which is to be restricted.

For example, create the .htaccess file in the /var/www/html/ directory to restrict the entire document root.

sudo vi /var/www/html/.htaccess

Add the following content:

/var/www/html/.htaccess
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user

Save and close the file, then restart Apache to make these changes take effect.

sudo apachectl restart

Testing password authentication

Try to access the restricted content in a web browser by visiting the URL or static IP address.

This will prompt for a username and password to access the website.

NOTE: If the correct credentials are entered, the site will be accessible.

  • If the wrong credentials or entered, or Cancel is pressed, this should show the Unauthorized error page.
  • Password protection should be combined with SSL, so that the credentials are not sent to the server in plain text.

References

http://www.webtrafficexchange.com/how-create-htpasswd-file-encrypted-password