How do I password protect an Apache website?

Question

I added .htaccess

AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/the/directory/you/are/protecting/.htpasswd
require valid-user

and .htpasswd

username:password

However, it is not working. It doesn't prompt me for login.

score 4 · Answer 1 · answered Oct 15 '09 at 22:12

Your .htaccess file looks fine. The only reason it is not working as you have it is that Apache is configured to ignore it.

In your apache config, ideally in the sites-* config file, add:

<Directory /path/to/the/directory/you/are/protecting/>
      AllowOverride AuthConfig
</Directory>

The AllowOverride directive is what allows the htaccess file to function. By default, most Apache setups have it turned off (set to None actually), including Ubuntu/Debian.

In your .htpasswd file, the password must be encrypted. You can do this most easily using the htpasswd tool that mezgani suggested. It will look like this if you read the file:

bob:abJnggxhB/yWI

With the AllowOverride directive set to at least AuthConfig, your .htaccess file in place, and your .htpasswd containing a user with an encrypted password, you should be good to go.

Ali Mezgani · Answer 2 · 2009-10-15T20:34:03.257

2

First, add this following to your apache config:


<Directory /path/to/the/directory/you/are/protecting/>
        AllowOverride AuthConfig
        Options Indexes MultiViews FollowSymLinks
        deny from all
        Order deny,allow
</Directory>

After, you may create the .htpasswd file that will contain your login and password with htpasswd command and not manually


htpasswd -c /path/to/the/directory/you/are/protecting/.htpasswd username

I think that moving the .htpasswd file somewhere different from the path of the directory that you are protecting is more secure.

Also, For security reasons, please read this article on securityfocus

edited Oct 15 '09 at 20:34

answered Oct 15 '09 at 20:18

Ali Mezgani

3,810
2
23
36

how do you remove it later ? – Oct 15 '09 at 20:22
Delete the .htaccess and .htpasswd files. and don't forget to remove the apache config that you've added – Ali Mezgani Oct 15 '09 at 20:27
it doesn't work. – Oct 15 '09 at 20:50
You will need to add a `require valid-user` below the Order line. The current apache configuration is set to deny from everyone. – emills Oct 15 '09 at 21:11
yes. i did that. still doesn't work. – Oct 15 '09 at 21:18
well i added these in my sites-available. .htaccess is not recognized. – Oct 15 '09 at 21:19
1

I must say I also have this problem and nowhere near a solution after 5 hours. Was this ever resolved? – Dark Star1 Oct 01 '12 at 00:59

score 1 · Answer 3 · answered Jun 10 '12 at 21:27

In Snow Leopard (OS X 10.6), changing the AllowOverride in httpd.conf only enables .htaccess protection in the main web pages (/Library/WebServer by default). Enabling it for individual users' ~/Sites folders is controlled by a separate .conf file for each user. On my systems this is under /etc/apache/users . Jeff Snider's reference to "in the sites-*" may be where the files for individual users' pages are configured on his system.

How do I password protect an Apache website?

3 Answers3

Linked