How to Configure Apache to Password Protect your Web Directory

If you are developing a new website and you do not want the general public to view it or you have an important documents on your web directory that you want to secure, you can configure your Apache web server to password protect your web directory. If a web directory is password protected and a user attempts to open either that directory area or a file in that directory, a window will appear requesting a required username and password. With the proper username and password entered, the user will be allowed to view files in that directory.

Adding password to a website or web directory using Apache web server is easy, just follow the tutorial below.

Redhat/CentOS/Fedora

For Apache web server running in CentOS and other RedHat-based distro, edit your /etc/httpd/conf/httpd.conf and find the line

<Directory "/var/www/html">

replace the line that says

AllowOverride None

with

AllowOverride All
AuthName "Login Message Here"
AuthType Basic
AuthUserFile /var/www/html/htpasswd.users
Require valid-user

Your apache config file should look like this:

<Directory "/var/www/html">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important.  Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
    Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
    AllowOverride All
    AuthName "Login Message Here"
    AuthType Basic
    AuthUserFile /var/www/html/htpasswd.users
    Require valid-user
    Order allow,deny
    Allow from all
</Directory>

Generate username and password, your password will be stored in the file called htpasswd.users.

cd /var/www/html
htpasswd -c htpasswd.users username

Then reload the apache service for the changes to take effect.

service httpd reload

Debian/Ubuntu

Same configuration for Debian Linux, edit the file /etc/apache2/sites-enabled/000-default.

vi /etc/apache2/sites-enabled/000-default

Find the line

<Directory /var/www/>


And replace the line that says

AllowOverride None

with

AllowOverride All
AuthName "Login Message Here"
AuthType Basic
AuthUserFile /var/www/html/htpasswd.users
Require valid-user

Your apache config file should look like this:

<Directory /var/www/>
       Options Indexes FollowSymLinks MultiViews
       AllowOverride All
       AuthName "Login Message Here"
       AuthType Basic
       AuthUserFile /var/www/htpasswd.users
       Require valid-user
       Order allow,deny
       allow from all
       # This directive allows us to have apache2's default start page
       # in /apache2-default/, but still have / go to the right place
       #RedirectMatch ^/$ /apache2-default/
</Directory>

Generate username and password using the below command:

cd /var/www
htpasswd -c htpasswd.users username

Restart your Apache service for the changes to take effect.

/etc/ini.d/apache2 restart

.htaccess File

You can also use the .htaccess file to protect your web directory, just create a .htaccess file inside the web directory you want to secure and put these following lines:

AuthName "Login Message Here"
AuthType Basic
AuthUserFile /var/www/html/htpasswd.users
Require valid-user

After you have created the .htaccess file, generate username and password.

htpasswd -c htpasswd.users username

This will require your web site visitors to login with a user id and password. If they failed to enter the specified username and password, the browser will display an error message.

That's how it works... Cheers!!!