Using Apache realms to password-protect your website

by Marion Bates <mbates at whoopis.com>

NOTE: 99 percent of this info came from http://httpd.apache.org/docs-2.0/howto/auth.html. I am merely condensing it further, and adding some info for newer versions of Apache (skip down).

Step 1: Edit /etc/httpd/conf/httpd.conf (make a backup copy first). Find the line that says 

    AllowOverride None

And change it to: 

    AllowOverride AuthConfig

If you are using virtual domains, then you will need to add that line to the Directory section of the virtual host area(s) under which you want to be able to enable authentication. E.g.: 


        ServerAdmin admin@yourdomain.com
        DocumentRoot /home/www.yourdomain.com/html
        ServerName www.yourdomain.com
        ServerAlias yourdomain.com
        ScriptAlias /cgi-bin/ /home/www.yourdomain.com/cgi-bin/
        ErrorLog logs/www.yourdomain.com-error_log
        TransferLog logs/www.yourdomain.com-transfer_log
        CustomLog logs/www.yourdomain.com-access_log combined
        <Directory /home/www.yourdomain.com/html>
                Options Indexes FollowSymLinks
                AllowOverride AuthConfig 
        </Directory>
</VirtualHost>

Restart apache. (/etc/init.d/httpd restart)

Step 2: Run htpasswd (usually under /usr/bin, but depends on where/how you installed Apache) to generate a username and password for each user to whom you want to allow access to password-protected directories. If you have never done this before, run it with the -c flag (to create a new passwd file) and make sure that you create the file under a secure directory (NOT webroot!) The syntax is htpasswd -c <path-tonew-passwd-file> <username-to-create>. For example: 

htpasswd -c /etc/httpd/conf/users jsmith

will create a passwd file called "users" under /etc/httpd/conf, and will add an entry for the user name jsmith. Follow the prompts to set jsmith's password.

To add additional users, after you've created the file, type: 

htpasswd /etc/httpd/conf/users username

Note: Check the permissions on that file and fix them if need be: 

sudo chmod 644 /etc/httpd/conf/users

Step 3: In the directory you want to protect, create a file called .htaccess. Enter the following: 

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/httpd/conf/users
Require valid-user

You have now created a realm called "Restricted Files". This is what gets presented to the client when he is asked to log in. Also, for any other areas of your site which use a .htaccess access file with the same realm name, users will not be prompted again for the same login/pass.

Procedural differences for newer versions of Apache and/or different site configurations:

  1. Edit /etc/httpd/conf.d/ssl.conf and add section like: 
    <Directory "/home/httpd/html/secret">
        Options +Indexes
        SSLOptions           +StrictRequire
        SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
        Order deny,allow
        deny from all        
        AuthType Basic       
        AuthUserFile /etc/httpd/conf/users
        AuthName "Secret Area"
        require valid-user
        satisfy any
</Directory>

  2. Edit /etc/httpd/conf/httpd.conf and add a line to the Rewrite rules section like: 
    RewriteRule   ^/secret/(.*)$  https://www.yourdomain.com/secret/$1 [R]
  3. (Restart Apache, generate users file, and fix permissions as outlined above)

    The end, for now.