Protecting Web Server Directories with Passwords

From Thomas-Krenn-Wiki
Jump to: navigation, search

This article will describe how to protect directories and files with a password with the help of the .htaccess file under the Apache web server.

Creating a .passwd File

So that the directories and files can be protected under Apache web server, a file that will contain the password data is required. For this, the file is best not created in the web server’s DocumentRoot directory (for example, /var/www. From here, the file can be read through the Internet.), but rather in the /root directory.

vps140:~# htpasswd -cs .passwd testuser
New password:
Re-type new password:
Adding password for user testuser

The -c flag causes a new file to be created. The -s flag forces the password to be encrypted using Secure Hashing Algorithm (SHA).

The file can be viewed using the cat command.

vps140:~# cat .passwd

Creating the .htaccess File

To provide directories and files with password protection under Apache web server, an .htaccess file can be created in the corresponding directory (using the nano editor, for example), which will then enable password protection. The following example assumes that the websvn directory located in the web server’s DocumentRoot directory should be protected by a password.

vps140:/var/www/websvn# nano .htaccess

The file will appear as follows:

AuthType Basic
AuthUserFile /root/.passwd
AuthName "websvn"
order deny,allow
allow from all
require valid-user

The AuthUserFile line indicates where the .passwd file, which will be used for authenticating the user during login, will be found. The require valid-user line makes it possible to specify who should have access the directories and files. With valid-user, one indicates that all users stored in the .passwd file will receive access to the directories and files. (If only certain users should have access, that can be indicated here by require testuser, for example.)

Adjusting the File using VirtualHost

So that the settings will take effect, the AllowOveride option must be changed rom None to All in the file using the corresponding VirtualHost under the DocumentRoot directory (/var/www/).

vps140:/etc/apache2/sites-available# nano default

NameVirtualHost *
<VirtualHost *>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                RedirectMatch ^/$ /apache2-default/

Accepting the Settings

So that the setting will be accepted by the web server, it need merely be re-started afterwards.

vps140:~# /etc/init.d/apache2 restart
Forcing reload of web server (apache2)... waiting .


If someone wants access to the web site, a window will appear for authentication purposes.



Author: Florian Hettenbach

Related articles

Bash Tipps and Tricks
Updates with LXC 1.0
Using Md5sum und sha1sum for Checking Downloaded Files