Password Protecting Apache2.4 Directories with .htaccess

Introduction:

Apache allows directories to be restricted by requiring a user name and password.  In this article, configuring the httpd.conf, creating a .htaccess file, and generating the necessary password file is demonstrated.

 

Configuring access in httpd.conf:

In this case, denying access to the phpMyAdmin directory located at /usr/local/www/phpMyAdmin is our goal.  To do this, the following directory alias must be modified in the httpd.conf file.

 

Alias /phpmyadmin "/usr/local/www/phpMyAdmin"
       <Directory "/usr/local/www/phpMyAdmin">
       Options None
       AllowOverride AuthConfig
       Require all granted
       </Directory>

 

The above directory alias for phpMyAdmin will only allow access by providing the correct username and password.  Since the httpd.conf file was modified, a graceful restart of the Apache service is recommended by issuing the following command:

 

# apachectl graceful

 

Creating the .htaccess file:

The .htaccess file will contain Apache directives necessary to provide authorized access to the required directory.  In this case, it is necessary to create a .htaccess with the following contents shown below.  Additionally, the .htaccess file is created in the following directory   /usr/local/www/phpMyAdmin/

 

AuthName "Unauthorized Access will be Prosecuted"
AuthType Basic
AuthUserFile /usr/local/www/htaccess/.passfile
Require valid-user

 

AuthName – Text displayed above the password dialogue box

AuthType – Allows for the use of Basic Http Authentication

AuthUserFile – location of the password file

Required – Valid Users are required for directory access

 

As good measure, change the permissions on the .htaccess file as follows:

 

# cd /usr/local/www/phpMyAdmin
# chown root:www .htaccess
# chmod 640 .htaccess

 

Create the Password File:

At this point, the password file is created using the htpasswd utility as shown below.  However, the directory in which the password file resides should not be within the URI space of the web server.

 

Create the Password File Directory:

# cd /usr/local/www
# mkdir htaccess

 

Create the Password File and Create a New User “ken”:

# htpasswd -c /usr/local/www/htaccess/.passfile ken
New password:
Re-type new password:
Adding password for user ken

 

To add additional user “kathy” to the same file, use the command below:

# htpasswd .passfile kathy
New password:
Re-type new password:
Adding password for user kathy

 

As good measure, change the permissions on the .htaccess file as follows:

# cd /usr/local/www/htaccess
# chown root:www .passfile
# chmod 640 .htaccess

 

For additional parameters and information using the htpasswd utility, please refer to the man page.

 

Summary:

To password protect Apache directories is rather simple using the htpasswd utility.  It provides a easy method to manage usernames and passwords.

 

Additional Resources:

www.apache.org

htpasswd man page

Leave a Reply

Your email address will not be published.