How to password protect website under apache

A general description on how to password protect a website

Protecting content with basic authentication

1. Create a password file
2. Set the configuration to use this password file
3. Optionally, create a group file

To create the file, type:

htpasswd -c /usr/local/apache/passwd/passwords username
you can create that file to whatever directory, but it’s advised to put to website root or apache working directory; htpasswd will ask you for the password, and then ask you to type it again to confirm it:

# htpasswd -c /usr/local/apache/passwd/passwords kin
New password: mypassword
Re-type new password: mypassword
Adding password for user kin

The -c flag is used only when you are creating a new file. After the first time, you will omit the -c flag, when you are adding new users to an already-existing password file.

htpasswd /usr/local/apache/passwd/passwords testuser

set the password file user/group as apache and only writeable by root

chown root.apache /usr/local/apache/passwd/passwords
chmod 640 /usr/local/apache/passwd/passwords

Set the configuration to use this password file

AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/apache/passwd/passwords
Require user kin testuser

The phrase "By Invitation Only” will be displayed in the password pop-up box, where the user will have to type their credentials. if you need all the users in the password file to be able to login, you can use "Require valid-user" to replace the last line option.

>>>Optionally, create a group file

just create the group file and add the group name, user to it. A group name appears first on a line, followed by a colon, and then a list of the members of the group, separated by spaces. For example:

authors: kin testuser1 testuser2

the configuration looks like the following:

AuthType Basic
AuthName "Apache Admin Guide Authors"
AuthUserFile /usr/local/apache/passwd/passwords
AuthGroupFile /usr/local/apache/passwd/groups
Require group authors

Don’t use basic authentication for anything that requires real security, however, will be secure if it’s acrossing ssl connection.

Protecting content with digest authentication is much the same as basic authentiation, it will just hash the password into md5 during thet transfer, you just need to change the following:

To create a new digest password file, type:

htdigest -c /usr/local/apache/passwd/digest realm username
htdigest will ask you for the desired password, and then ask you to type it again to confirm it.
specify "AuthType Digest" in the configuratino section.

Allow and Deny

The Allow and Deny directives let you allow and deny access based on the host name, or host address, of the machine requesting a document.

The usage of these directives is:

allow from address

deny from


Satisfy can take as an argument one of two options – all or any. any — if the user satisfies any of these, then they will be granted entrance. all — user must satisfies all the options.

A sample configuration:
<Directory /usr/local/apache/htdocs/sekrit>
  AuthType Basic
  AuthName intranet
  AuthUserFile /www/passwd/users
  AuthGroupFile /www/passwd/groups
  Require group customers
  Order allow,deny
  Allow from
  Satisfy any


- has written 121 posts.

Leave a Reply

You must be logged in to post a comment.