Apache is one of the most widely-used and popular web servers in the world. Configuring your websites with password authentication can prevent unauthorized users from accessing your website without the correct user ID and password.
This tutorial explains an easy way to password protect a web directory in Apache using .htaccess.
- A server running CentOS v. 7 with Apache installed
- Static IP address or URL for your website
Configure Apache to allow .htaccess authentication
By default Apache does not allow the use of
.htaccess files in CentOS 7. You will need to set up Apache to allow
.htaccess based authentication.
You can do this by editing the Apache config file:
sudo nano /etc/httpd/conf/httpd.conf
Find the section that begins with
<Directory "/var/www/html">. Change the line from
AllowOverride none to
Save and close the file.
Create a password file with htpasswd
htpasswd command is used to create and update the files used to store usernames and password for basic authentication of Apache users. We will create a hidden file
.htpasswd in the
/etc/httpd/ configuration directory.
Let’s begin by creating a
.htpasswd file for user1.
sudo htpasswd -c /etc/httpd/.htpasswd user1
You will be asked to supply and confirm a password for user1.
Note: Only use
-c the first time you create the file. Do not use
-c when you add a user in the future.
Let’s create another user named user2:
sudo htpasswd /etc/httpd/.htpasswd user2
After creating user2, you can see the username and the encrypted password for each record:
sudo cat /etc/httpd/.htpasswd
The output will look something like this:
Now, you need to allow the
apache user to read the
sudo chown apache:apache /etc/httpd/.htpasswd sudo chmod 0660 /etc/httpd/.htpasswd
Configure Apache password authentication
Now you need to create a
.htaccess file in the web directory you wish to restrict.
For this example, we will create the
.htaccess file in the
/var/www/html/ directory to restrict the entire document root.
sudo nano /var/www/html/.htaccess
Add the following content:
AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/httpd/.htpasswd Require valid-user
Save and close the file, then restart Apache to make these changes take effect.
sudo apachectl restart
Testing password authentication
After everything has been set up, it’s time to test your Apache server.
From your desktop computer, try to access your restricted content in a web browser by visiting your URL or static IP address.
You will be prompted with a username and password to access the website.
If you enter the correct credentials, you will be allowed to access the content.
If you enter the wrong credentials or hit “Cancel” you will see the “Unauthorized” error page: