Password Protecting Apache (Linux)
Password protect Apache directories (RedHat9)
Posted 01.06.2004 | Updated 23.05.2006 | Contributed by Andy Mallett


There have been a few changes since RH7.1 was king. The Apache 2.0 Web Server root still lives in /var/www/html, while the config files reside at /etc/httpd/conf/httpd.conf.

One noticeable change is the lack of any index.html files. Now httpd.conf instructs Apache to use a default generic index.html for any 'empty' directory in the system.

For anyone who has run Apache under Win32 the password protecting process is the same, just the directory structure is different.

There are three steps to the process..

  • The creation of a single password file containing authorised users and passwords
  • The creation of an .htaccess file which sits in each protected directory
  • The modification of a line in Apache's httpd.conf configuration file

1. Creating the Password file

To create the password file which I have called passwords, use the htpasswd executable which is located in /usr/bin/htpasswd, so change to this directory to use it.

The passwords file can live anywhere outside of the main web service. I decided to lob mine in with the rest of the config stuff in /etc/httpd/conf away from any public directories (we don't want a user to be able to download the passwords file).

So in the following example, the file passwords will be created in the path /etc/httpd/conf/, with an initial username of andym. To create the file, type:

htpasswd -c /etc/httpd/conf/passwords andym 

[root@vampyre root]# cd /usr/bin
[root@vampyre bin]# htpasswd -c /etc/httpd/conf/passwords andym
New password:
Re-type new password:
Updating password for user andym
[root@vampyre bin]#


htpasswd will prompt for the user's password, twice to confirm and a file called passwords will be created under the specified directory.

Finally change permissions on the passwords file to EVERYONE, EXECUTE. This little snippet is often left out of the instructions and can lead to a password box which doesn't accept a valid username/password combination. The passwords file can have other users appended later, as required.

2. Creating the .htaccess file

A copy of this file is placed into each directory which needs to be password protected. The file contains the following four lines:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/httpd/conf/passwords
Require user andym

Copy these lines into a text editor and name the file .htaccess
  1. Modify the AuthUserFile entry to point to the location of the passwords file location created in step 1. above
  2. Modify the Require user entry to the username(s) required for access to that directory
  3. Place a copy of this file in each directory which requires password protection

3. Modify httpd.conf

This file is the main configuration file for Apache, living in /etc/httpd/conf/httpd.conf

Find the entry as shown here [~line 335] and change the AllowOverride entry from None to All:

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
    AllowOverride All
#

Save and close httpd.conf and then type service httpd restart at the console to restart the Apache service [daemon] with the new settings.

And that's it. For all directories containing an .htaccess file, users should be prompted for a username and password.

More Information