Passwording Apache web server simply means protecting a specified directory so that users are prompted for a username/password in order to access it.
The following instructions were compiled using FreeBSD 5.2.1 and Apache 1.3.17. See the bottom of the page for other versions/platforms.
1. Create the Protected Directory
Make a directory to protect within the Apache tree..
2. Create the passwords File
Next create a passwords
file. This is a single file which will contain the user access list. Don't
put this passwords file in any of Apache's public directories (i.e. anywhere inside /htdocs
) where somebody could find it.
Running the following htpasswd
command will create the passwords file (-c) and add an initial user to it..
/usr/local/apache/bin/htpasswd -c /usr/local/apache/conf/passwords fred
Enter the user password twice.
Note: You may
have to change the permissions on the passwords
file to EVERYONE, EXECUTE. This little snippet is often left out of the instructions and can sometimes be the cause of a password box which doesn't accept a valid username/password combination.
The passwords file can have other users added later, by running the same command without the -c
/usr/local/apache/bin/htpasswd /usr/local/apache/conf/passwords angie
Enter the new user's password twice. Note that these users are not system user accounts. They cannot login to the server with these credentials. It only allows a certan username to access a certain web directory, nothing else.
3. Create the .htaccess File
Create an .htaccess
file in the protected directory. This file will specify which users have access to the directory which the .htaccess
file sits in..
Here is a sample .htaccess I prepared earlier..
AuthName "Restricted Files"
- You may need to modify the AuthUserFile line (line 3 above) to point to a different path for the passwords file location. Mine is /usr/local/apache/conf/passwords
- Place a copy of the .htaccess file in each directory which requires password protection
4. Modify httpd.conf
This file is the main configuration file for Apache. It must be modified to allow the password override. Find the string below (approx line 328) and modify the AllowOverride None
entry to AllowOverride All
(in vi, this lets you to see the line numbers..)
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
5. Restart the Apache Service
To encompass these new settings, the Apache daemon must be restarted..
Et voila! Password protected web directories. There are a few variations of Apache about, depending on version and platform. I have configured Apache under Linux to do the same thing..