Password protect a directory with Apache
Learn how to password protect a directory using Apache's basic HTTP authentication. This method will allow you to set up a restricted area of your website which will require a username and password for access.
Requirements
- A Cloud Server running Linux (CentOS 7 or Ubuntu 16.04).
- Apache web server installed and running.
- Unlimited traffic and up to 1 Gbit/s bandwidth
- Fast SSD NVMe storage
- Free Plesk Web Host Edition
Create the password file
The first step is to create a password file which Apache will use to check the username and password. This file will be named .htpasswd and put in a secure location: /etc/apache2 on Ubuntu 16.04, and /etc/httpd on CentOS 7.
The htpasswd command can be used to either create a password file or add an entry to it. For this first time, we will use the -c flag to create the file and add the username jdoe:
- CentOS 7:sudo htpasswd -c /etc/httpd/.htpasswd jdoe
- Ubuntu 16.04:sudo htpasswd -c /etc/apache2/.htpasswd jdoe
You will be prompted to enter and confirm the new password for the user.
Add a New User to an Existing File
To add a new user to an existing password file, use the same command without the -c flag. For example, to add a user janedoe the command is:
- CentOS 7:sudo htpasswd /etc/httpd/.htpasswd janedoe
- Ubuntu 16.04:sudo htpasswd /etc/apache2/.htpasswd janedoe
You will be prompted to enter and confirm the new password for the user.
Enable directory restriction
Before you can restrict a directory, you will need to configure Apache to allow .htaccess files.
CentOS 7
Open the main Apache configuration file for editing with the command:
sudo nano /etc/httpd/conf/httpd.conf
Scroll down to the <Directory> section for "/var/www/html" and change AllowOverride to All.
Save and exit the file. Then restart Apache for the changes to take effect:
sudo systemctl restart httpd
Ubuntu 16.04
Open the main Apache configuration file for editing with the command:
sudo nano /etc/apache2/apache2.conf
Scroll down to the <Directory> section for "/var/www" and change AllowOverride to All.
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
Save and exit the file. Then restart Apache for the changes to take effect:
sudo systemctl restart apache2
Create the restricted area
Go to the directory you want to protect. For example:
cd /var/www/html/admin
Create a file called .htaccess and open it for editing:
sudo nano .htaccess
Put the following into this file:
CentOS 7:
AuthType Basic
AuthName "Password Required"
Require valid-user
AuthUserFile /etc/httpd/.htpasswd
Ubuntu 16.04:
AuthType Basic
AuthName "Password Required"
Require valid-user
AuthUserFile /etc/apache2/.htpasswd
Test the authentication
To test the authentication, visit the password-protected URL in a browser. You will get a pop-up which prompts you to enter a username and password to continue.
If your browser has a pop-up blocker, you will need to configure it to allow pop-ups for this domain.