When you run a website, you might want to password protect a directory if they have sensitive information. It is quite easy to password protect directory using Apache web server. However, if you use web host, then check with them to see if they provide this features out-of-the-box. Otherwise, here’s how you can password protect directory using Apache
How to Password Protect Directory using Apache with .htaccess
Before we proceed, please ensure you have installed Apache web server on your Linux system. Also, enable .htaccess processing. Here’s how you can enable .htaccess in Apache
.htaccess file allows you to make changes to how Apache processes requests, without changing server config files.
1. Create or open .htaccess file
Open terminal on your server via telnet or SSH. Open the .htaccess file in a text editor
$ sudo nano /var/www/html/.htaccess
Add the following lines to it.
AuthName "Members Area" AuthType Basic AuthUserFile /path/to/your/directory/.htpasswd require valid-user
- AuthName – Name displayed when Apache asks for authentication. You can name it anything you want
- AuthType – Type of authentication. No need to modify it.
- AuthUserFile – Location of password file, that you will create later. In our example, it is .htpasswd. Make sure you place it in a folder that is not directly visible to site visitors. Also, use the full path to the file, instead of using a relative path.
- require – Who all can access your directory, after authentication. “valid-user” means everyone who has the password. If you want only specific users (e.g tom, alex, john) to be able to access, you can specify it here. For example, “require user tom alex john”. In this case, only these 3 users will have access
Save and close the .htaccess file
2. Create Password file
As mentioned earlier, we need to create a password file, .htpasswd
Go to the home directory
Type the following command. Replace your-user-name with your actual user name
$ htpasswd -c .htpasswd your-user-name
Usernames should be single words, without any spaces. Once you type the above command, you’ll be asked for a password. Once you enter the password, .htpasswd file will be created in your home directory.
If you want you can add more users (e.g tom, alex, etc). There is no need to add the -c flag as shown below. In this case, htpasswd will look for an existing file.
$ htpasswd .htpasswd tom
If you view .htpasswd file, you’ll see the list of all usernames you added, along with their encrypted passwords
Since this file has passwords, change its permission so that only root users can read-write, while others can only read it.
$ sudo chmod 644 .htpasswd
Now move the file to the location you have specified in your .htaccess file earlier.
$ mv .htpasswd /path/to/your/directory/
In fact, you can name .htpasswd you want, as long as you correctly mention it in .htaccess
Congrats! Now you can password protect directory using Apache. You can test it by uploading a simple test.html file in your protected folder and opening it in your web browser. You should see a prompt for username and password. If the setup is not correct, you will be able to see the file without any prompt.
However, remember the following when you password protect a directory using Apache:
- It is applicable only to the directories and not files. If user gets access to the directory, they can access all files in it
- It protects directory only over web. You/others can still freely access it via file system & shell