How to set up Apache htpasswd Authentication in Ubuntu
By Adarsh Sojitra on September 5th, 2019
Every application on the internet has some parts in it that an anonymous user should not access. For example, a directory containing confidential documents like PDFs, Docs and sheets. But, there is a way to protect these directories at server level with Apache htpasswd. So, What is htpasswd? It is an Apache utility that allows you to protect a part of your application or the whole application with username and password at server level.
As the authentication happens at the server level, even the application running on the server cannot access the files without correct username and password. It means that you can protect some parts or pages of your application with the most basic authentication.
In this guide, we will see How to set up basic authentication using Apache htpasswd. We will first install it on the server and then we will move on to the configuration part.
There are some prerequisites to follow this guide. You must have your server configured properly with a website that you want to protect. If you have not configured your server yet, Follow our guide to set up your server with Apache and PHP-FPM.
Once done, Let’s get started with the guide. First of all, we are going to install
apache2-utils package on the server. It is very easy as it just takes a few command to install. Let’s get started with the actual work.
Install Apache2 utils on Ubuntu
Installing Apache2 utils is very easy. It just takes a few commands and less than a minute to configure. Execute the following bunch of commands to install
apache2-utils package on your server if it is not already installed. You can run these commands if you are not sure if it is already installed, it won’t harm.
$ sudo apt-get update $ sudo apt-get install apache2-utils
Once done, the installation part is complete. It is easy, as I said. Now, we have to create htpasswd file to store the user information. Let’s learn how to create Apache htpasswd file on Linux.
Create Apache htpasswd file
The actual name of the htpasswd file is
.htpasswd. It’s the default name that everyone uses but you can name it whatever you want. The “.” as the first character of the filename says that the file should be hidden in the list. Let’s create an htpasswd file on our server. Execute the following command to create a blank .htpasswd inside Apache’s configuration directory. Again, you can store it wherever you want, as per your requirements.
$ sudo touch /etc/apache2/.htpasswd
Once done, we can add new users to the .htpasswd file. For this task, we will use the
htpasswd command that comes with the package we installed in the previous step. Let’s add some users to our brand new htpasswd file.
NOTE: You are not limited to just one htpasswd file. You can create multiple htpasswd files at different locations for different applications containing different users.
We will learn how to attach a specific website with a specific htpasswd file further in this guide.
htpasswd Add User
Adding user to the htpasswd file is easy too. You just have to run a command and the utility will handle the rest. Execute the following command in the console to add a new user to htpasswd file.
$ sudo htpasswd /etc/apache2/.htpasswd USERNAME
Again, you can replace the part of command with orange font color. Just enter the correct location of your htpasswd file and the user you want to add to that htpasswd file.
It will ask you twice for a new password. Enter the strong password and you are done! You can execute the same command to add more users.
Now, Let’s learn how to protect a specific directory or an application using the brand new htpasswd file we made.
Apache Htpasswd protection using VirtualHost
Virtual host is a file that tells the web browser (Apache) to redirect a request to specific document root, based on the domain name. If you do not know anything about virtual hosts, learn more about virtual hosts from our guide.
We can protect a specific directory or an entire application by injecting few lines of code in our virtual host file. To open your virtual host file in edit mode, execute the following command.
$ sudo nano /etc/apache2/sites-available/000-default.conf
Here I am editing a default Apache virtual host. But you can open the one you want to edit by changing the file name. Once it is in edit mode, add the following code (Colored) to the file. I have excluded all the other code to show the exact location to add the code.
<VirtualHost *:80> . . . <Directory /var/www/html/protected> AuthType Basic AuthName "Protected" AuthUserFile /etc/apache2/.htpasswd Require valid-user <Directory> </VirtualHost>
Do not forget to replace the absolute path to the directory you want to protect and also the location of the htpasswd file. Once done, press CTRL+X followed by Y followed by Enter to save the configuration file. Next, execute the following command to restart the Apache web server.
$ sudo service apache2 restart
We have to restart the Apache server to apply the changes. Once done, try to access the directory or website you wanted to protect. You will see an alert asking for username and password. Entering the correct username and password will allow you to access the website/directory.
Apache Htpasswd protection using htaccess
You can also edit the
.htaccess file on your server to protect the contents. It is the easy method and you can create .htaccess file inside sub-directories too! Which means that you can create a new .htaccess file inside a specific directory to protect that directory with basic authentication.
Execute the following command to open the
.htaccess file in the edit mode. If it is not already present, the command will create a new file.
$ sudo nano /var/www/html/protected/.htaccess
Do not forget to replace the path of the directory you want to protect. Once the file is in edit mode, Add the following code at the top of the file.
AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require valid-user
Once done, press CTRL+X followed by Y followed by the Enter key to save the file. Once done, try to access the protected directory or a website in the browser. It will ask you for username and password before the contents are displayed in the browser.
So, this is how you can protect the your website or a specific directory using Htpasswd and Htaccess.
Conclusion: Every application needs some kind of protection from anonymous users. With Htpasswd, you can protect specific directories and you can limit specific directories to specific users only. It is a good way to provide limited access to specific users. Htpasswd is fairly easy to install, create and configure. Let us know if you need help from us by mentioning the problem you are facing or a query you have in the comment section given below. We will reply you with the solution or an answer. If you are InterServer customer, please reach our support staff for further help!
One correction: the closing Directory tag in your virtual host config needs to include the closing slash.