Password Protect Your Webserver Pages
Beginner's guide to .htaccess and protecting web pages
By Andrea W. Cordingly, for

Readers also chose to review:

  • Beginning Commands for Server Administrators
  • Raw Basics of a Linux Webserver
  • Running CGI on a Linux Webserver

  • Managing user access to a Linux Intranet server is painless and quick as long as you know the basics of .htaccess files.

    Yet, I find some new administrators get frustrated by the lack of complete information on the internet. In some HOWTO guides, details regarding .htaccess are given, without mentioning that Apache must be configured and offering solutions.

    My hope is that this brief article gives a complete look at managing access with the use of Apache overrides and .htaccess. Since the goal is to make it as easy as pie, I will cut the techno talk and get to the points.

    First, although this article applies to just about any Apache/Linux web server, it is most beneficial in the context of Intranet servers or when a website needs to control or secure certain web pages within directories for a set of specific users.

    Second, you do not have to be a Linux administrator or expert to do these steps. You only need rudimentary knowledge of Linux, have root or super user access to the server, and be familiar with a text editor like vi, emacs, or something like kwrite. You can find good text editor help here.

    Step 1. Configure Apache to Allow Access Authorization

    You need to find the httpd.conf file on your Linux server.

    This file is the Apache web server configuration file that includes lots of very useful Apache web server controls.

    For now, simply open it using a text editor. For Fedora users this is done by simply going to /etc/httpd and opening httpd.conf. For others using various flavors, try using this command to identify the location of the httpd.conf file and edit it: locate httpd.conf

    Once you open this file using a text editor, please scroll down until you see not the first but the second occurance of this text:   AllowOverride None

    Change the line that says:
    AllowOverride None
    to instead say:
    AllowOverride AuthConfig

    Be sure to NOT CHANGE THE first occurance of this in the apache file which is the default. Change the second occurance which is actually the overide. This is VERY IMPORTANT! If you run into trouble make a backup of your httpd.conf file (type: cp httpd.conf httpd.conf.back) and then try using this example. Be sure to reboot the server after you copy our example file.

    Step 2. Identify the Folder/Directory to Protect
    You should now identify which folders (aka Directories) under your web server you would like to protect. For instance if I want to only allow a certain list of users to access my html files under the Private folder it would look something like the following.

    On the Linux server the actual directory path would be:
    On the web browser the path would be:

    Obviously, I'm giving an example to help you see the difference between the folder/directory name on the Linux server and how it looks to web browsers. You MUST change to the appropriate directory/folder when using the steps below. So in my case I type this command first before beginning on my Fedora server:
    cd /var/www/html/Private

    Step 3. Add Access Files to the Folder
    Once you identify the folder you wish to safeguard, then you need to create two files in this folder. The files are: .htaccess and .htpasswd. The .htaccess file displays the access login information needed for users and also includes the list of specific users who can login. The .htpasswd file includes the individual users and their passwords.

    Create .htaccess file in your Folder by using a text editor to create .htaccess. Notice that you must include the . (dot) before the file name!

    The file should atleast include these lines:
    AuthName "Login to the Private Area"
    AuthType Basic
    AuthUserFile /var/www/html/Private/.htpasswd
    Require user andrea

    Note that the AuthName requires quotes and whatever is in quotes will display on the login window when a user tries to access your private folder with a web browser. It is vital that you properly set the path for the AuthUserFile and obviously replace the word Private with whatever folder you are trying to password protect.

    Also be sure to include the user login names of the people you plan to allow to this folder next to the Require user line. In my case, I simply added myself to this folder as a user (andrea).

    Now, create the .htpasswd file in the same Folder but NOT by using a text editor. Instead use this command from the command line on your Linux server.

    Type this command at the prompt:
    htpasswd -cmb .htpasswd andrea ann2cute

    Note that you must use your own name and password (replace andrea and ann2cute) and that the option cmb does the following: First it forces Creating of a new .htpasswd file. Since this is your first time adding a user it is necessary. Next the m option forces encryption and b allows you to include the user name and password immediately. In my case I created a new .htpasswd file, then added the user andrea and her password ann2cute.

    Step 4. Add Additional Users
    To add users you simply need to edit both files again. First, add a user to the .htaccess file by opening it in a text editor and including the new person (my example is bradley).

    The .htaccess file should include these lines:
    AuthName Login to the Private Area
    AuthType Basic
    AuthUserFile /var/www/html/Private/.htpasswd
    Require user andrea bradley

    Remember to save the file when youre done adding the new user!
    Now add the user (my example being bradley) to the .htpasswd file using this command:
    htpasswd mb .htpasswd bradley brad4chad

    In my example, I used the htpasswd command to add using encryption the user bradley to the .htpasswd file that already exists and include his password as brad4chad. That's it!

    Step 5. Test the Password Function
    Now test that the Apache server is accepting this new protected folder by going to it in a web browser. In my case I test the url and up comes a pop-up window that requires User Name and Password. I type in my user name and password and instantly I see the index.html page I put in my folder! People who don't have a login won't get access to your web pages within this folder.

    What if it didnt work? Almost always this is a result of the httpd process not being restarted. You can easily restart this process to pick up the changes in your updated httpd.conf file by either rebooting or restarting the process. A reboot works fine, so long as you can tolerate a web server outage for a minute or two. Or, on most flavors you can type this command as root user:   ./httpd start

    Step 6. What About Removing Users
    There may come a time when you need to delete users from the access. You can do this easily enough by again editing the .htaccess file and running a command to delete the user from the .htpasswd file.

    First, edit the .htaccess file and remove the user you do not wish to allow access to and save the file.

    Second, delete the user from the .htpasswd file by typing this command at the prompt:   htpasswd D bradley
    The option D is for delete. It should prompt you that user bradley was deleted.

    NOTE: There are some very good graphical tools now available to perform the same functions on your Linux web server without all of the commands and editing. If you prefer to use such a tool you can try this for example: HTEDIT.

    Enjoy! Andrea

    Many more beginner articles are available here.
    Read responses to this article on our Message Boards