apache .htaccess authentication howto

From thelinuxwiki
Jump to: navigation, search


versions

version: 2.2.25

O.S.: gentoo

This may work for other apache versions, but the instructions here were only tested with the above version. It will work for other distros too.

problem

need to configure file or directory specific authentication using .htaccess

  • note - this is not recommended by apache. Apache recommends configuring auth via the main server config files. However, there are times(such as some hosted scenarios) where you won't have access to those files, and .htaccess is an alternative.


solution

set AllowOverride to All in the config section for your website in the appropriate conf file (i.e. httpd.conf or other depending upon setup) as seen below in bold. This allows Apache to override previous directives with .htaccess files.

       <Directory /var/www/>
               Options Indexes FollowSymLinks MultiViews
               AllowOverride All
               Order allow,deny
               allow from all
       </Directory>

reload / restart apache config file. command my vary by distro. on gentoo run...

# /etc/init.d/apache2 restart


Create a file called .htaccess in the directory you want to password-protect with the follwing content:

AuthUserFile /your/path/.htpasswd
AuthName "Authorization Required"
AuthType Basic
require valid-user

instead of valid-user, you can also add the users you want directly

If you want to password protect just a single file in a folder add the following lines to the .htaccess file:

<Files "mypage.html">
  Require valid-user
</Files>

Then create the file /your/path/.htpasswd which contains the users that are allowed to login and their passwords. We do that with the htpasswd command:

htpasswd -c /path/to/your/.htpasswd user1

The -c flag is used only when you are creating a new file. After the first time, you will omit the -c flag, when you are adding new users to an already-existing password file. Otherwise you will overwrite the file!!

Nevertheless, you should store the file in as secure a location as possible, with whatever minimum permissions on the file so that the web server itself can read the file.

Finally we need to add the following lines to /etc/apache2/apache2.conf:

<Directory /your/path>
AllowOverride All
</Directory>

You have to adjust /your/path/.htpasswd

Restart your webserver:

sudo /etc/init.d/apache2 restart

snippets taken from EnablingUseOfApacheHtaccessFiles at help.ubuntu.com