How to configure HTTP/Password Authentication for Apache in Linux servers
In some cases, we may need to secure our website so that only authenticated users can access the website. We can protect our website at the server level using Apache Password Authentication.
In, this tutorial we will try to explain how we can enable HTTP/password authentication to protect website or content with Apache web server.
A.- For RHEL/Centos OS:
STEP 1: Setup Basic HTTP Authentication credentials.
• Verify that you have httpd-tools package installed, if not run:
$ sudo yum install httpd-tools
We use a utility called “htpasswd” to create a file that will contain user and password which will be used to access restricted content.
$ sudo htpasswd -c /etc/httpd/.htpasswd httpauth_user
New password:
Re-type new password:
Adding password for user httpauth_user
You’ll be asked to supply and confirm a password for user “httpauth_user”.
• If you would like to add additional users to the htpasswd file, remove the "-c" command flag so you don't overwrite the htpasswd file.
$ sudo htpasswd -c /etc/httpd/.htpasswd httpauth_user
• Check the contents of password file.
$ cat /etc/httpd/.htpasswd
httpauth_user:$apr1$zMuo27/6$XTUlvJbHEz5S0EgaC.Vsp0
STEP 2: Configure Apache Password Authentication.
We now have a file with our user and password which Apache can read. Now we will configure Apache to check this file before serving our protected content. This can be done in two different ways: -
- Edit Apache virtual host
- Or using .htaccess file
Configure HTTP Authentication with virtual host
Authentication is done on a per-directory basis. To set up authentication, you will need to target the directory you wish to restrict with a block. In our example, we’ll restrict the entire document root, but you can modify this listing to only target a specific directory within the web space:
• Add the <Directory__> as mentioned below.
$ sudo vim /etc/httpd/conf.d/domain.com.conf
<VirtualHost *:80>
ServerAdmin web@localhost
DocumentRoot /var/www/html
CustomLog /var/log/httpd/domain.com-access.log combined
ErrorLog /var/log/httpd/domain.com-error.log
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
</VirtualHost>
• Save and close the file when you are finished. Test and Restart/Reload Apache to implement your password policy:
$ sudo httpd -t
$ sudo systemctl restart httpd
OR
$ sudo systemctl reload httpd
Configure HTTP Authentication with .htaccess file.
To setup password authentication with .htaccess file instead, you will need to edit main Apache main configuration to allow .htaccess file.
Modify the, block from None to All
$ sudo vim /etc/httpd/conf/httpd.conf
. . .
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
. . .
• Next, we need to add an .htaccess file to the directory we wish to restrict.
$ sudo vim /var/www/html/.htaccess
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
Save and close the file when you are finished. Test and Restart/Reload Apache to implement your password policy:
$ sudo httpd -t
$ sudo systemctl restart httpd
OR
$ sudo systemctl reload httpd
B.- For Debian/Ubuntu OS:
STEP 1: Setup Basic HTTP Authentication credentials.
• Verify that you have apache2-utils package installed, if not run:
$ sudo apt-get install apache2-utils
We use a utility called “htpasswd” to create a file that will contain user and password which will be used to access restricted content.
$ sudo htpasswd -c /etc/apache2/.htpasswd httpauth_user
New password:
Re-type new password:
Adding password for user httpauth_user
You’ll be asked to supply and confirm a password for user “httpauth_user”.
• If you would like to add additional users to the htpasswd file, remove the "-c" command flag so you don't overwrite the htpasswd file.
• Check the contents of password file
$ cat /etc/apache2/.htpasswd
httpauth_user:$apr1$zMuo27/6$XTUlvJbHEz5S0EgaC.Vsp0
STEP 2: Configure Apache Password Authentication.
Configure HTTP Authentication with virtual host.
• Edit the Virtual host and add the <Directory__> as mentioned below.
$ sudo vim /etc/apache2/sites-available/domain.com.conf
<VirtualHost *:80>
ServerAdmin web@localhost
DocumentRoot /var/www/html
CustomLog /var/log/httpd/domain.com-access.log combined
ErrorLog /var/log/httpd/domain.com-error.log
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
</VirtualHost>
• Save and close the file when you are finished.
• Now that the file has been created, there is one additional step for enabling Apache virtual hosts in Debian/Ubuntu. This is done with the use of the a2ensite tool. To enable the newly created Virtual Host, run the following command:
$ sudo a2ensite domain.com.conf
To be doubly sure the tool was successful, you can run the following command:
$ sudo ls -lah /etc/apache2/sites-enabled | grep domain.com.conf
This should return output showing the file is symlinked to this directory.
Test and Restart/Reload Apache to implement your password policy:
$ sudo apachectl -t
$ sudo systemctl restart apache2
OR
$ sudo systemctl reload apache2
Configure HTTP Authentication with .htaccess file.
To setup password authentication with .htaccess file instead, you will need to edit main Apache main configuration to allow .htaccess file.
• Modify the, block from None to All
$ sudo vim /etc/apache2/apache2.conf
. . .
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
. . .
• Next, we need to add an .htaccess file to the directory we wish to restrict.
$ sudo vim /var/www/html/.htaccess
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Save and close the file when you are finished. Test and Restart/Reload Apache to implement your password policy:
$ sudo apachectl -t
$ sudo systemctl restart apache2
OR
$ sudo systemctl reload apache2
Confirm the Password Authentication
Try to access your restricted content in a web browser to confirm if it is protected: -
You should see a pop-up like below: -
Once you will enter correct credentials, you will be allowed to access the content.
If you enter the wrong credentials or hit “Cancel”, you will see the “Unauthorized” error page:
Updated 12 months ago