UNIX / Linux keyboard.

How to Password Protect a Web Page with Apache

Password Protection with Apache

Let's say you want this situation:

~/public-web/Index.html My default page, world-readable
~/public-web/public/ World-readable subdirectory
~/public-web/private/ Password-protected subdirectory

You need a "password file" in a place where Apache can read it but will not serve it up to web clients. That means it must not be under ~/public-web. Your home directory should work.

Here I create a new password file as I add a user named fred.

% htpasswd -c ~/.web-password fred
Adding password for fred.
New password: ******
Re-type new password: ******
% ls -l ~/.web-password
-rw-r--r--  1 cromwell cromwell 19 Jan 29 14:58 /home/cromwell/.web-password

Note that you do NOT see the literal "******" above. I added that to indicate where I typed the rather bad password fredpw.

Now, similar to /etc/shadow, the password file does NOT contain the password, but the hash of the password:

% cat ~/.web-password

Now I just need to do the following in order to password-protect my directory ~/public-web/private/

% cd ~/public-web/private
% cat > .htaccess
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /home/cromwell/.web-password
Require user fred

That's it for the basic stuff! For far more, like adding more users, making groups of users, allowing or disallowing access from specific IP address blocks or domains, etc see the full Apache documentation.

Linux and