Set up Basic Authentication in Apache Using .htaccess On CentOS 7

By | October 29, 2016
0 Comment

Introduction

Apache is one of the most widely-used and popular web servers in the world. Configuring your websites with password authentication can prevent unauthorized users from accessing your website without the correct user ID and password.

This tutorial explains an easy way to password protect a web directory in Apache using .htaccess.

Requirements

  • A server running CentOS v. 7 with Apache installed
  • Static IP address or URL for your website

Configure Apache to allow .htaccess authentication

By default Apache does not allow the use of .htaccess files in CentOS 7. You will need to set up Apache to allow .htaccess based authentication.

You can do this by editing the Apache config file:

sudo nano /etc/httpd/conf/httpd.conf

Find the section that begins with <Directory "/var/www/html">. Change the line from AllowOverride none to AllowOverride AuthConfig

AllowOverride AuthConfig

Save and close the file.

Create a password file with htpasswd

The htpasswd command is used to create and update the files used to store usernames and password for basic authentication of Apache users. We will create a hidden file .htpasswd in the /etc/httpd/ configuration directory.

Let’s begin by creating a .htpasswd file for user1.

sudo htpasswd -c /etc/httpd/.htpasswd user1

You will be asked to supply and confirm a password for user1.

Note: Only use -c the first time you create the file. Do not use -c when you add a user in the future.

Let’s create another user named user2:

sudo htpasswd  /etc/httpd/.htpasswd user2

After creating user2, you can see the username and the encrypted password for each record:

sudo cat /etc/httpd/.htpasswd

The output will look something like this:

user1:$apr1$0r/2zNGG$jopiWY3DEJd2FvZxTnugJ/
user2:$apr1$07FYIyjx$7Zy1qcBd.B8cKqu0wN/MH1

Now, you need to allow the apache user to read the .htpasswd file.

sudo chown apache:apache /etc/httpd/.htpasswd
sudo chmod 0660 /etc/httpd/.htpasswd

Configure Apache password authentication

Now you need to create a .htaccess file in the web directory you wish to restrict.

For this example, we will create the .htaccess file in the /var/www/html/ directory to restrict the entire document root.

sudo nano /var/www/html/.htaccess

Add the following content:

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user

Save and close the file, then restart Apache to make these changes take effect.

sudo apachectl restart

Testing password authentication

After everything has been set up, it’s time to test your Apache server.

From your desktop computer, try to access your restricted content in a web browser by visiting your URL or static IP address.

You will be prompted with a username and password to access the website.

Apache authentication page

If you enter the correct credentials, you will be allowed to access the content.

If you enter the wrong credentials or hit “Cancel” you will see the “Unauthorized” error page:

Apache authentication error

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.