How to Password Protect Directory using Apache with .htaccess


password protect directory using apache

When you run a website, you might want to password protect a directory if they have sensitive information. It is quite easy to password protect directory using Apache web server. However, if you use web host, then check with them to see if they provide this features out-of-the-box. Otherwise, here’s how you can password protect directory using Apache

 

How to Password Protect Directory using Apache with .htaccess

Before we proceed, please ensure you have installed Apache web server on your Linux system. Also, enable .htaccess processing. Here’s how you can enable .htaccess in Apache

.htaccess file allows you to make changes to how Apache processes requests, without changing server config files.

 

1. Create or open .htaccess file

Open terminal on your server via telnet or SSH. Open the .htaccess file in a text editor


$ sudo nano /var/www/html/.htaccess

 

Add the following lines to it.


AuthName "Members Area"
AuthType Basic
AuthUserFile /path/to/your/directory/.htpasswd
require valid-user

 

  • AuthName – Name displayed when Apache asks for authentication. You can name it anything you want
  • AuthType – Type of authentication. No need to modify it.
  • AuthUserFile – Location of password file, that you will create later. In our example, it is .htpasswd. Make sure you place it in a folder that is not directly visible to site visitors. Also, use the full path to the file, instead of using a relative path.
  • require – Who all can access your directory, after authentication. “valid-user” means everyone who has the password. If you want only specific users (e.g tom, alex, john) to be able to access, you can specify it here. For example, “require user tom alex john”. In this case, only these 3 users will have access

Save and close the .htaccess file

 

2. Create Password file

As mentioned earlier, we need to create a password file, .htpasswd

Go to the home directory


$ cd

Type the following command. Replace your-user-name with your actual user name


$ htpasswd -c .htpasswd your-user-name

Usernames should be single words, without any spaces. Once you type the above command, you’ll be asked for a password. Once you enter the password, .htpasswd file will be created in your home directory.

If you want you can add more users (e.g tom, alex, etc). There is no need to add the -c flag as shown below. In this case, htpasswd will look for an existing file.


$ htpasswd .htpasswd tom

 

If you view .htpasswd file, you’ll see the list of all usernames you added, along with their encrypted passwords


tom:34bhbeb3hjjh4
mary:bhb3jh4b33jh4

 

Since this file has passwords, change its permission so that only root users can read-write, while others can only read it.

 


$ sudo chmod 644 .htpasswd

 

Now move the file to the location you have specified in your .htaccess file earlier.

 


$ mv .htpasswd /path/to/your/directory/

 

In fact, you can name .htpasswd you want, as long as you correctly mention it in .htaccess

 

Congrats! Now you can password protect directory using Apache. You can test it by uploading a simple test.html file in your protected folder and opening it in your web browser. You should see a prompt for username and password. If the setup is not correct, you will be able to see the file without any prompt.

 

However, remember the following when you password protect a directory using Apache:

  1. It is applicable only to the directories and not files. If user gets access to the directory, they can access all files in it
  2. It protects directory only over web. You/others can still freely access it via file system & shell

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!