How to Password Protect a Web Page with Apache

Password Protection with Apache

Let's say you want this situation:

You need a "password file" in a place where Apache can read it but will not serve it up to web clients. That means it must not be under ~/public-web. Your home directory should work.

Here I create a new password file as I add a user named fred.

% htpasswd -c ~/.web-password fred
Adding password for fred.
New password: ******
Re-type new password: ******
% ls -l ~/.web-password
-rw-r--r--  1 cromwell cromwell 19 Jan 29 14:58 /home/cromwell/.web-password

Note that you do NOT see the literal "******" above. I added that to indicate where I typed the rather bad password fredpw.

Now, similar to /etc/shadow, the password file does NOT contain the password, but the hash of the password:

% cat ~/.web-password
fred:ds8BPFUd2MZDw

Now I just need to do the following in order to password-protect my directory ~/public-web/private/

% cd ~/public-web/private
% cat > .htaccess
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /home/cromwell/.web-password
Require user fred
^D

That's it for the basic stuff! For far more, like adding more users, making groups of users, allowing or disallowing access from specific IP address blocks or domains, etc see the full Apache documentation.