Password Protecting Apache
Enforce user logins for web access (FreeBSD 5.2)
Posted 20.12.2001 | Updated 25.11.2006 | Contributed by Andy Mallett


Passwording Apache web server simply means protecting a specified directory so that users are prompted for a username/password in order to access it.

The following instructions were compiled using FreeBSD 5.2.1 and Apache 1.3.17. See the bottom of the page for other versions/platforms.

1. Create the Protected
    Directory

Make a directory to protect within the Apache tree..

mkdir  /usr/local/apache/htdocs/secrets

2. Create the passwords File

Next create a passwords file. This is a single file which will contain the user access list. Don't put this passwords file in any of Apache's public directories (i.e. anywhere inside /htdocs) where somebody could find it.

Running the following htpasswd command will create the passwords file (-c) and add an initial user to it..

/usr/local/apache/bin/htpasswd  -c  /usr/local/apache/conf/passwords  fred

Enter the user password twice.

Note: You may have to change the permissions on the passwords file to EVERYONE, EXECUTE. This little snippet is often left out of the instructions and can sometimes be the cause of a password box which doesn't accept a valid username/password combination.

The passwords file can have other users added later, by running the above command without the -c switch..

cd  /usr/local/apache/bin
./htpasswd  /usr/local/apache/conf/passwords  loco

Enter the new user's password twice. Note that these users are not system user accounts. They cannot login to the server with these credentials. It only allows a certan username to access a certain web directory, nothing else.

3. Create the .htaccess File

Create an .htaccess file in the protected directory. This file will specify which users have access to the directory which the .htaccess file sits in..

cd  /usr/local/apache/htdocs/secrets
vi  .htaccess

Here is a sample .htaccess I prepared earlier..

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/conf/passwords
Require valid-user


  1. You may need to modify the AuthUserFile line (line 3 above) to point to a different path for the passwords file location. Mine is /usr/local/apache/conf/passwords
  2. Place a copy of the .htaccess file in each directory which requires password protection

4. Modify httpd.conf

This file is the main configuration file for Apache. It must be modified to allow the password override. Find the string below (approx line 328) and modify the AllowOverride None entry to AllowOverride All..

vi  /usr/local/apache/conf/httpd.conf
:set num (in vi, this lets you to see the line numbers..)

#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
AllowOverride All


5. Restart the Apache Service

To encompass these new settings, the Apache daemon must be restarted..

/usr/local/apache/bin/apachectl  restart

Et voila! Password protected web directories. There are a few variations of Apache about, depending on version and platform. I have configured Apache under Linux to do the same thing..

- Password Protect Apache under Red Hat Linux