Notes of a SysAdmin

How-To: Password Protect Apache Directories with .htaccess

This post was published 5 years 5 months 12 days ago which may make its actuality or expire date not be valid anymore. This site is not responsible for any misunderstanding.

Have you ever wanted to let someone download a file or image from your website, but didn’t want to have the whole world know about, such as Google’s great search engine spiders? The robot.txt file only goes so far, personally I’d rather password protect my directories if I don’t want them crawled. It’s a great way to set up realms that only the privileged few know about. I’ll walk you through the very simple steps of doing so, and showing you what gets added on the server side.

Grab Your Tools

We will need a couple of things to allow us to set up a password protected directory using Apache. First off we need an operating system. I am going to presume that you already have Apache 2.x installed on your server (operating system). If you are like me, you will also need to download PuTTY, and a network connection to your server. Of course, you may use the direct system console if you would like also. I am using Debian 3.1; you can download it here. Debian syntax is alot like Fedora Core’s, so it should seem pretty straight forward if you are familiar with Fedora Core or Red Hat Linux.

Our Goal

First off, let’s summarize what we have, and what we want. We have a webserver called localhost and we want to password-protect the directory secret. The problem is, when we go to http://localhost/secret we get right in, no password and Google (and other search engines) can crawl your directory. Note: This isn’t really an article on how to avoid search engine crawling, it’s really about setting up password protective directories using Apache (as the title states); and yes I know that you can use robot.txt.

Dig Into Apache

Apache on Debian is usually found in /etc/apache2 (this is where Apache is installed) and the www root is usually found in /var/www (this is where your HTML/CSS/PHP files go). This article will only go into the default installation of Apache 2.x, so if you go to /etc/apache2/sites-enabled you should see a file called 000-default; this is the file we need to edit:

<virtualhost *>
        ServerAdmin webmaster@localhost
 
        DocumentRoot /var/www/
        <directory />
                Options FollowSymLinks
                AllowOverride none
 
        <directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride AuthConfig
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                # RedirectMatch ^/$ /apache2-default/
 
</virtualhost>

After editing 000-default, if you aren’t familiar with the Nano editor, hold down Ctrl+O and press enter to write the file and then hold down Ctrl+X to exit.

After changing any part of Apache’s core files, or configuration files, you must restart Apache:

/etc/init.d/apache2 restart

Configuring .htaccess and .htpasswd

Before we actually configure .htaccess and .htpasswd, we need to create the secret directory. So, go to /var/www and create the directory called secret and add a default index.html file. To do this:

cd /var/www
mkdir secret
touch index.html

Now, still before we configure .htaccess and .htpasswd, we need to add some text to index.html. Open index.html with Nano:

nano index.html

Now add this XHTML code to index.html:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   <title>Password-Protected Area</title>
</head>
<body>
   <h1>Password-Protected Area</h1>
   <p>You are authorized.</p>
</body>
</html>

Now exit out of Nano (don’t forget to save your work!!). It’s now time to configure .htaccess and .htpasswd.

Configuring .htaccess

.htaccess is the file that tells apache what name, type of authentication, where the password file is located at, and what users are allowed to access the directory. So let’s create the .htaccess file (note the dot (.) is required):

touch .htaccess

Now let’s add the following to the file (.htaccess) using Nano (you should know how to open a file with Nano now by yourself):

AuthName "My Password-Protected Area - Authorized Users Only"
AuthType Basic
AuthUserFile /var/www/secret/.htpasswd
require user secretuser

AuthName is used to create a realm name. Anyone sees this; it’s a descriptive way of letting you’re users know what this protected area is. Note: If spaces are used, you must encapsulate the whole AuthName value in quotes.

AuthType is the authentication type used for the current directory. Basic authentication is the only one that is currently implemented.

AuthUserFile is the absolute path to the .htpasswd file. This can be any name really, but I have seen the standard set to be .htpasswd.

require user [username] is the set of users that can be used to access the directory. You actually define the usernames and passwords in the .htpasswd file.

Configuring .htpasswd

.htpasswd is the file that tells Apache what the username and corresponding password of each user is. By default, the passwords are encrypted using the CRYPT algorithm. Also note that we will use -c option to create the file. If you use this each time to add a user, it will wipe out preexisting users, so please be careful. Now, let’s create the .htpasswd file (note the dot (.) is required):

htpasswd -cs .htpasswd secretuser

We have just created a .htpasswd file with the username of secretuser (-c) and we are using the SHA encryption algorithm for the password (-s). You actually create the password after you run this command; the system will prompt you for a fresh password and then have you re-confirm your password for verification. After you have added your new password, your .htpasswd file should look something similar to this (but not quite, since I am probably using a different password than you are):

secretuser:{SHA}E/A6F/9rt3w1dIBCIjsm3wbqutk=

Congrats, you have now successfully configured your .htaccess and .htpasswd files. You should now get a password prompt upon going to the URL http://localhost/secret. You should login using a corresponding user and password that you defined with the htpasswd command: