Apache Web Log-in Authentication (Password File) Part I

Apache authentication can be configured to require web site visitors to login with a user id and password. This is different than adding a login form on a web page and creating your own authentication. This tutorial describes the various methods available for authentication with Apache and its' configuration. Login protection is applied to the web pages stored in a directory. The login dialog box which requests the user id and password is provided by the web browser at the request of Apache. Apache allows the configuration to be entered in its' configuration files (i.e. main configuration file /etc/httpd/conf/httpd.conf, supplementary configuration files /etc/httpd/conf.d/component.conf or in a file which resides within the directory to be password protected.

Apache password file authentication:

Directory protection using .htaccess and .htpasswd

This tutorial applies to Apache based web servers. It requires:

1. Editing the server configuration file (httpd.conf) to enable/allow a directory structure on the server to be password protected. Basically the default access permission statement need modification.
2. The creation and addition of two files specifying the actual logins and passwords. (.htaccess and .htpasswd)

Use this sparingly because Apache will have to check all directories and subdirectories specified in the configuration file for the existence of the .htaccess file adding to a servers latency.

When trying to access a file in a protected directory, the user will be presented with a window (dialog box) requesting a username and password. This protection applies to all sub-directories. Other .htaccess files in sub directories may respecify access rules.

Apache authentication uses the modules mod_auth and mod_access.

Apache configuration file:

File: /etc/httpd/conf/httpd.conf (older systems used access.conf)

Default: This disables the processing of .htaccess files for the system.


AllowOverride None


or for a specified directory:


AllowOverride None


Change to and/or specify directory to protect:


AllowOverride All


OR


AllowOverride AuthConfig


AllowOverride parameters: AuthConfig FileInfo Indexes Limits Options

The name of the "distributed" and user controlled configuration file .htaccess is defined with the directive: (default shown)

AccessFileName .htaccess


Password protection by a single login:

Password files:

1. Create the directory you want to password protect (example: membersonly)
2. Create a file /home/domain/public_html/membersonly/.htaccess in that director that looks something like this:

AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
require user name-of-user

In this case the "name-of-user" is the login name you wish to use for accessing the web site.

The literature is full of examples of the next method but I never got it to work.

One can use Apache directives to specify access and restriction:

AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null

require user name-of-user


Also see: List of Apache directives. If an incorrect directive is used in the .htaccess file it will result in a server error. Check your log files: /var/log/httpd/error_log.
The name of the access file .htaccess is specified by the httpd.conf directive AccessFileName.

3. Create the password file /home/domain/public_html/membersonly/.htpasswd using the program htpasswd:

htpasswd -c .htpasswd name-of-user

Man page: htpasswd

Example file: .htpasswd

user1:KgvCSeExtS4kM
USER1:KgvCSeExtS4kM
User1:KgvCSeExtS4kM