Password protect a directory with Apache

Learn how to password protect a directory using Apache's basic HTTP authentication. This method will allow you to set up a restricted area of your website which will require a username and password for access.

Requirements

  • A Cloud Server running Linux (CentOS 7 or Ubuntu 16.04).
  • Apache web server installed and running.
VPS Hosting
Fully virtualised servers with root access
  • Unlimited traffic and up to 1 Gbit/s bandwidth
  • Fast SSD NVMe storage
  • Free Plesk Web Host Edition

Create the password file

The first step is to create a password file which Apache will use to check the username and password. This file will be named .htpasswd and put in a secure location: /etc/apache2 on Ubuntu 16.04, and /etc/httpd on CentOS 7.

The htpasswd command can be used to either create a password file or add an entry to it. For this first time, we will use the -c flag to create the file and add the username jdoe:

  • CentOS 7:sudo htpasswd -c /etc/httpd/.htpasswd jdoe
  • Ubuntu 16.04:sudo htpasswd -c /etc/apache2/.htpasswd jdoe

You will be prompted to enter and confirm the new password for the user.

Add a New User to an Existing File

To add a new user to an existing password file, use the same command without the -c flag. For example, to add a user janedoe the command is:

  • CentOS 7:sudo htpasswd /etc/httpd/.htpasswd janedoe
  • Ubuntu 16.04:sudo htpasswd /etc/apache2/.htpasswd janedoe

You will be prompted to enter and confirm the new password for the user.

Enable directory restriction

Before you can restrict a directory, you will need to configure Apache to allow .htaccess files.

CentOS 7

Open the main Apache configuration file for editing with the command:

sudo nano /etc/httpd/conf/httpd.conf

Scroll down to the <Directory> section for "/var/www/html" and change AllowOverride to All.

Save and exit the file. Then restart Apache for the changes to take effect:

sudo systemctl restart httpd

Ubuntu 16.04

Open the main Apache configuration file for editing with the command:

sudo nano /etc/apache2/apache2.conf

Scroll down to the <Directory> section for "/var/www" and change AllowOverride to All.

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

Save and exit the file. Then restart Apache for the changes to take effect:

sudo systemctl restart apache2

Create the restricted area

Go to the directory you want to protect. For example:

cd /var/www/html/admin

Create a file called .htaccess and open it for editing:

sudo nano .htaccess

Put the following into this file:

CentOS 7:

AuthType Basic
AuthName "Password Required"
Require valid-user
AuthUserFile /etc/httpd/.htpasswd

Ubuntu 16.04:

AuthType Basic
AuthName "Password Required"
Require valid-user
AuthUserFile /etc/apache2/.htpasswd

Test the authentication

To test the authentication, visit the password-protected URL in a browser. You will get a pop-up which prompts you to enter a username and password to continue.

Note

If your browser has a pop-up blocker, you will need to configure it to allow pop-ups for this domain.

Was this article helpful?