When we setup a website or a blog, there will often be some pages that you do not want unauthorized visitors to access. Although it is possible to code the password authentication for web pages, did you know that you can directly use Apache web server for user authentication? If you just need simple password authentication and do not have software developers to code it for you, then you can utilize this feature in Apache server. In this article, we will learn how to password protect directory in Apache web server.
Why Password Protect Directory in Apache
Every website or blog has web pages with sensitive content such as admin pages, user details, etc. Most site administrators need to protect these web pages with sensitive information from unauthorized users. Using Apache’s password authentication is a very simple, quick and powerful way to add user authorization to your website, without any coding.
Another useful benefit is that it allows you to enable user authentication for specific pages, directories, or entire site, in a matter of minutes.
How to Password Protect Directory in Apache
Here are the steps to password protect directory in Apache server.
1. Install Required Apache Utilities
First of all, we need to create a file that stores username and passwords. For that purpose, we use htpasswd utility. It allows us to add username-password combinations that are allowed to access password protected content. htpasswd is available in apache2-utils package. You can install it with the following commands. Here we update local packages and install htpasswd.
sudo apt-get update
sudo apt-get install apache2-utils
2. Create Password File
Once htpasswd is installed, we will use it to create new username-password combinations. htpasswd requires the location of file that will store this information. Here is the command to add username-password combination to this file.
sudo htpasswd -c <file_location> <username>
Here is an example to demonstrate it.
sudo htpasswd -c /home/ubuntu/userpass test_user
In the above command, we supply file location as /home/ubuntu/userpass and username as test_user. If this file does not exist, it will be created. Also, since you are entering username for the first time, you need to add -c option. For subsequent users, you can omit it.
sudo htpasswd -c /home/ubuntu/userpass test_user2
Once you enter the above command, you will be prompted for password. Enter the password to save the username-password combination. These passwords are encrypted before being stored in the file. You can view its contents using cat or similar command.
$ cat /home/ubuntu/userpass
Output
test_user:$jan1$efgsIfXG$tmCvCfb34fpPFwKGVsuYz.
test_user2:$jan1$p1gjjeAf$efrhneUwr.MhAE2kKGYHK.
3. Configure Password Authentication
Next, we need to configure Apache to use this file to check if the requested URL is a protected on, and also to cross check user credentials against it for authorization. There are 3 ways to do this.
- Using virtual host file
- Using .htaccess file
In the first option, we modify the virtual host file to add location of htpasswd file. It is read by Apache whenever server is started or restarted. It is much faster than using .htaccess to add password protection because the config files are read only once in a while when server is started or reloaded. Also, since it is a single file, Apache server does not need to look into multiple places to authenticate users.
If you are using .htaccess file, then Apache will need to re-read this file at every request, which can slow down performance. However, in most deployments, users do not have access to virtual host config file but only to .htaccess file. So this is a more practical solution.
Let us look at these methods below.
Using Virtual Host Configuration File
In this approach, we first open the default virtual configuration file 000-default.conf in a text editor.
$ sudo vi /etc/apache2/sites-enabled/000-default.conf
Look for the following code block. If it is commented, remove the # sign at the beginning of the lines.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
In this case, authentication is done for specific directories. So if you want to password protect the entire root directory then add the following lines to it.
<Directory "/var/www/html">
</Directory>
Within this block, we need to specify the AuthType as Basic, since we need basic authentication. Next, we need to specify AuthName as any realm name you want. The AuthUserFile directive should point to the htpasswd file location that we created earlier. Lastly, we specify the Require directive to be a valid-user which means that anyone with a valid username and password combination can be authorized. So add the following 4 lines within the above Directory block.
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /home/ubuntu/userpass
Require valid-user
</Directory>
Save and close the file. Proceed to the next step to restart Apache server and apply changes.
Using .htaccess File
If you do not have access to .htaccess file, then you can update .htaccess file for this purpose. Here we will first enable .htaccess file and then modify it. If you have already enabled it on your server, you can proceed to modify it, as shown later in this step.
First, open Apache main configuration file in text editor.
sudo vi /etc/apache2/apache2.conf
Look for the following code block that points to the root directory.
. . .
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
. . .
In the above code, change AllowOverride from None to All.
. . .
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
. . .
Save and close the file to enable .htaccess.
Next, add a .htaccess file to the directory that you want to password protect. Here we create a file in root directory, since we password protect its contents.
sudo vi /var/www/html/.htaccess
In this file, we mention the 4 directives described earlier, for authentication. We specify AuthType as Basic. Next, we mention AuthName directive as realm name as per your requirement. Then we mention AuthUserFile as the location to htpasswd file. Lastly, we mention the Require directive as valid-user directive, meaning anyone with valid username and password will be able to get access.
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Save and close the file.
4. Restart Apache Server
Restart Apache server to apply changes.
$ sudo service apache2 restart
5. Test Password Authentication
To test the above configuration, open web browser and try to access any of the password protected URLs. You will see the following prompt that asks you to enter username and password.
If you enter the correct username and password, you will be granted access to the requested URL. Else, you will see the following message.
Conclusion
In this article, we have learnt a couple of simple ways to easily add basic password authentication in Apache server. It allows you to protect one or more pages on your website/blog, without any coding. It is easy to manage for system administrators. You can customize it as per your requirement.
Also read:
How to Speed Up Apache Web Server
Apache Deny Access to URL, Files & Directory
How to Enable Server Side Includes in Apache
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.