Table of Contents
Apache - Authentication - Basic Authentication
To restrict access to certain HTTP resources, create two files: .htaccess and .htpasswd (or equivalent per httpd.conf setting).
Configure Apache to allow .htaccess authentication.
By default Apache does not allow the use of .htaccess files.
- Apache will need to be configured to allow .htaccess based authentication.
Editing the Apache config file:
sudo vi /etc/httpd/conf/httpd.conf
Find the section that begins with <Directory “/var/www/html”>.
Change the line from AllowOverride none to AllowOverride AuthConfig.
- /etc/httpd/conf/httpd.conf
AllowOverride AuthConfig
Save and close the file.
Create a password file with htpasswd
The htpasswd command is used to create and update the files used to store usernames and password for basic authentication of Apache users.
- A hidden file .htpasswd will need to be created in the /etc/httpd/ configuration directory.
For example, create a .htpasswd file for user1.
sudo htpasswd -c /etc/httpd/.htpasswd user1
This will prompt to supply and confirm a password for user1.
WARNING: Only use -c the first time the file is created.
- Do not use -c when another user is added in the future.
Create another user named user2:
sudo htpasswd /etc/httpd/.htpasswd user2
Display the username and encrypted password for each user
sudo cat /etc/httpd/.htpasswd
returns:
user1:$apr1$0r/2zNGG$jopiWY3DEJd2FvZxTnugJ/ user2:$apr1$07FYIyjx$7Zy1qcBd.B8cKqu0wN/MH1
Allow Apache to read the .htpasswd file
sudo chown apache:apache /etc/httpd/.htpasswd sudo chmod 0660 /etc/httpd/.htpasswd
Configure Apache password authentication
Create a .htaccess file in the web directory which is to be restricted.
For example, create the .htaccess file in the /var/www/html/ directory to restrict the entire document root.
sudo vi /var/www/html/.htaccess
Add the following content:
- /var/www/html/.htaccess
AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/httpd/.htpasswd Require valid-user
Save and close the file, then restart Apache to make these changes take effect.
sudo apachectl restart
Testing password authentication
Try to access the restricted content in a web browser by visiting the URL or static IP address.
This will prompt for a username and password to access the website.
NOTE: If the correct credentials are entered, the site will be accessible.
- If the wrong credentials or entered, or Cancel is pressed, this should show the Unauthorized error page.
- Password protection should be combined with SSL, so that the credentials are not sent to the server in plain text.