How to Password Protect an Apache, Apache2 web page or Directory

Many times when building a website, you want to limit access to some content or folder or the whole website.  For instance you may have a “Downloads” section that you want to give access to selectively. Here is an easy way to make Apache web server ask for a username and password when someone tries to gain access to directories with restricted content, no matter what it is, music, video, files, … anything (even the whole website).

This example uses Apache2 installed on Ubuntu 14.04

Here we assume you have a fresh minimal Ubuntu server install. lets install the web server with:

sudo apt-get install apache2

Lets also install utilities:

sudo apt-get install apache2-utils

Your default root directory that Apache serves from is located at /var/www/html

Now, lets say you have a directory called “Downloads” in the root directory, so your root directory would look something like this:

 

index.html Downloads    (<— Blue means its a folder)

So in your /var/www/html directory you have a file called “index.html” and a folder called “Downloads”.

Downloads folder contains very sensitive content that you do not want to give everyone access to. We will configure Apache to ask the user for a username and password when they click on a link in the “index.html” file that points to the “Downloads” directory

The package “apache2-utils” gives us the tools needed t add the password using the command htpasswd

Before we do that we need to create a hidden file called .htpassword insoed the /etc/apache2 directory. We do this with the following command.

sudo htpasswd -c /etc/apache2/.htpasswd yourname

replace “yourname” with whatever you would like the username to be. (Authentication will consists of a username and password & you can use anything here, like “admin” or “Bob” or “whatever”.

when you hit enter you will be prompted to supply a password twice.

This will be the password use for authentication to the “Downloads” directory in this example.

This gives us a hidden file that Apache can use which stores an encrypted version of the password you were prompted for earlier. (this is good.. nowhere will there be a plain text password for anyone to read)

Now we need to configure Apache to check this file before serving the protected directory to a clients web browser. We do this by modifying the virtual hosts file. If you have a vanilla install of apache2 and serving only one website the default for this configuration file will be:

/etc/apache2/sites-enabled/000-default.conf

 

Lets modify the file like so:

sudo nano /etc/apache2/sites-enabled/000-default.conf

at first the file will look like this:

 

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

Lets make it look like this:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory "/var/www/html/Downlods">
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
</VirtualHost>

 

We now have everything in place. We have created the hidden file with an encrypted authentication credentials. We have also told Apache which folder to protect “Downloads” if you wanted to protect the whole website you would just change the line below.

<Directory "/var/www/html/Downlods">

TO:

 

<Directory "/var/www/html">

Now all that is left is to restart Apache with the following command:

sudo service apache2 restart

 

To check open your browser and navigate to your website and click on the link for the “Downloads” folder and VOILA! up pops a box that asks for a username and password to proceed.

 

-Carmine Bufano