Using Apache realms to password-protect your website

by Marion Bates <mbates at>

NOTE: 99 percent of this info came from I am merely condensing it further, and adding some info for newer versions of Apache (skip down).

Step 1: Edit /etc/httpd/conf/httpd.conf (make a backup copy first). Find the line that says

    AllowOverride None 

And change it to:

    AllowOverride AuthConfig 

If you are using virtual domains, then you will need to add that line to the Directory section of the virtual host area(s) under which you want to be able to enable authentication. E.g.:

        DocumentRoot /home/
        ScriptAlias /cgi-bin/ /home/
        ErrorLog logs/
        TransferLog logs/
        CustomLog logs/ combined
        <Directory /home/>
                Options Indexes FollowSymLinks
                AllowOverride AuthConfig 

Restart apache. (/etc/init.d/httpd restart)

Step 2: Run htpasswd (usually under /usr/bin, but depends on where/how you installed Apache) to generate a username and password for each user to whom you want to allow access to password-protected directories. If you have never done this before, run it with the -c flag (to create a new passwd file) and make sure that you create the file under a secure directory (NOT webroot!) The syntax is htpasswd -c <path-tonew-passwd-file> <username-to-create>. For example:

htpasswd -c /etc/httpd/conf/users jsmith

will create a passwd file called "users" under /etc/httpd/conf, and will add an entry for the user name jsmith. Follow the prompts to set jsmith's password.

To add additional users, after you've created the file, type:

htpasswd /etc/httpd/conf/users username

Note: Check the permissions on that file and fix them if need be:

sudo chmod 644 /etc/httpd/conf/users

Step 3: In the directory you want to protect, create a file called .htaccess. Enter the following:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/httpd/conf/users
Require valid-user

You have now created a realm called "Restricted Files". This is what gets presented to the client when he is asked to log in. Also, for any other areas of your site which use a .htaccess access file with the same realm name, users will not be prompted again for the same login/pass.

Procedural differences for newer versions of Apache and/or different site configurations:

  1. Edit /etc/httpd/conf.d/ssl.conf and add section like:
    <Directory "/home/httpd/html/secret">
            Options +Indexes
            SSLOptions           +StrictRequire
            SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
            Order deny,allow
            deny from all        
            AuthType Basic       
            AuthUserFile /etc/httpd/conf/users
            AuthName "Secret Area"
            require valid-user
            satisfy any

  2. Edit /etc/httpd/conf/httpd.conf and add a line to the Rewrite rules section like:
    RewriteRule   ^/secret/(.*)$$1 [R]
  3. (Restart Apache, generate users file, and fix permissions as outlined above)

    The end, for now.