Apache Web Server is among the popular web servers and widely-used to host static and PHP based websites. We can password protect either the complete site or specific sections of a site using the htpasswd utility with the Apache Web Server. This tutorial provides the steps to generate the username and password pairs using the htpasswd utility and store the password in the .htpasswd file. It also shows how to password protect or restrict access to the complete site or specific sections of the site by updating the virtual host or by adding and configuring the .htaccess file. All the examples provided in this tutorial are tested using the Apache 2.4 installed on Ubuntu 20.04 LTS. The steps should be the same for the other versions of Ubuntu and Linux systems.
Prerequisites
This tutorial assumes that you have already installed Ubuntu 20.04 LTS desktop or server version either for local or production usage. You can follow Install Ubuntu 20.04 LTS Desktop, Install Ubuntu 20.04 LTS On Windows Using VMware, and Spin Up Ubuntu 20.04 LTS Server On Amazon EC2 to install Ubuntu 20.04 LTS. It also assumes that you have either root privileges or a regular user with sudo privileges.
It also assumes that the Apache Web Server is already installed. You may follow How To Install Apache 2 On Ubuntu 20.04 LTS, Configure Virtual Host On Apache, and How To Install Let's Encrypt For Apache On Ubuntu.
In the case of production usage, it assumes that you have access to the remote server.
Generate Password
This section provides the steps to generate and store the password using the htpasswd utility. Use the below-mentioned commands to create and store the password using the htpasswd utility.
# Install Apache Utils sudo apt install apache2-utils
# Create Password File sudo htpasswd -c /<path to .htpasswd>/.htpasswd username
# Example 1 sudo htpasswd -c /etc/secure/.htpasswd nick
# Output New password: <strong password> Re-type new password: <strong password> Adding password for user nick
This will generate the password and stores the username and password pair on a separate line in the .htpasswd file. We can add more users using the same file without the -c argument as shown below.
# Example 2 sudo htpasswd -c /etc/secure/.htpasswd roy
# Output New password: <strong password> Re-type new password: <strong password> Adding password for user roy
We can also verify the htpasswd file as shown below.
# Echo File Content cat /etc/secure/.htpasswd
# .htpasswd File Content nick:1$pr1$C9tqmsDt$ztcUda2bK12BC1brVYtv00 joy:$apr1$TAgZlVu1$Vil6BFu75PsErb3tnxv12/
Configure Virtual Host
This section provides the configurations required to password protect the site by updating the virtual host. The virtual host of a site hosted by the Apache Web Server should have similar configurations as shown below.
<VirtualHost *:80> ServerName myserver.com ServerAlias www.myserver.com ServerAdmin admin@myserver.com
DocumentRoot /var/www/myserver.com <Directory /var/www/myserver.com> Options -Indexes +FollowSymLinks DirectoryIndex index.php AllowOverride All </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
The above configuration does not block any resource of the site myserver.com. We can update the virtual host to completely password protect the site by implementing HTTP Basic Authentication as shown below.
<VirtualHost *:80> ServerName myserver.com ServerAlias www.myserver.com ServerAdmin admin@myserver.com
DocumentRoot /var/www/myserver.com <Directory /var/www/myserver.com> Options -Indexes +FollowSymLinks DirectoryIndex index.php AllowOverride All # Password Protect the site and restrict access AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/secure/.htpasswd Require valid-user </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Below listed are the explanation and usage of each parameter.
- AuthType - Basic - The HTTP Basic Authentication implements the password authentication using the password file specified by the AuthUserFile configuration.
- AuthName - We can specify the title of the authentication dialog shown to the users accessing the password-protected site.
- AuthUserFile - The htpasswd file having the username and password as shown in the previous section.
- Require - valid-user - Only allow the users with a valid username and password.
Now restart the Apache Web Server and try to access the site.
# Restart Apache sudo systemctl restart apache2
The auth dialog should be similar to Fig 1.
Fig 1
It will allow access to the site by providing the valid User Name and Password. In case of wrong username or password, after pressing the Cancel Button it shows the below-mentioned error as shown in Fig 2.
Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Fig 2
Configure Site
This section provides the options to password-protect and restricts access to either complete site or a part of the site. We can add the same rules as we added to the virtual host by creating the .htaccess file as shown below.
# Add .htaccess to the site root sudo nano /var/www/myserver.com/.htaccess
# Content # Password Protect the site and restrict access AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/secure/.htpasswd Require valid-user
# Save and exit the editor
This will password protect and enable restricted access to the entire site. Also, there is no need to reload or restart the Apache Web Server by using the .htaccess file. Similarly, we can add the .htaccess to the sub-directory of the site and update it with the same configuration to password protect the sub-directory.
Summary
This tutorial provided the steps required to generate the password file using htpasswd and configure the virtual host to password-protect and restrict access to the whole website. It also showed how to password protect the site either completely or parts of it using the .htaccess file.
