Unlike Nginx HTTP, Apache2 comes with a utility that allows for webmasters to provide basic authentication and authorization on web directories… One can use Apache2 utilities package to restrict access to directories with basic HTTP password authentication… This brief tutorial shows students and new users how to use Apache2 utils to generate basic password authentication for Apache2 directories.
This feature can be used to protect directories and restricting access to only authorized users… It’s great feature and can be used to add additional layer of protection to existing directories..
To protect Apache2 directories with basic password authentication, the steps below is a great place to start:
Step 1: Install Apache2 HTTP Utility
Apache2 utilities package is easy to install… To install, run the commands below
sudo apt update sudo apt install apache2 apache2-utils
Step 2: Create a .htpasswd file
Now that you’ve installed Apache2 utils, run the commands below to create password file for users.. The commands below will prompt you to create a new password for the username specified and store the file in the directory defined.. /etc/apache2/.htpasswd
sudo htpasswd -c /etc/apache2/.htpasswd myusername
Replace myusername with the username you wish to use. You can choose any directory to save the htpasswd file… however, you must specify the location when configuring Apache2…
After running the commands above, a new hidden passwd file for the username you selected will be saved in the /etc/apache2/.htpasswd file.
Below is the output of the command:
sudo htpasswd -c /etc/apache2/.htpasswd richard
New password:
Re-type new password:
Adding password for user richard
Step 3: Protect Apache2 Directories
Now that the password file is created, use the highlighted code block below to protect a Apache2 directory.
Apache2 default site configuration file is at /etc/apache2/sites-available/default
Add these lines below to the directory you want to protect…
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory "/var/www/html/Private">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Save the file.
Everytime you attempt to browse to the /Private directory, you should get a basic HTTP authentication prompt to type a username and password.
To protect the entire Apache2 site, define the root location to protect: /var/www/html
Example:
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Save the file.
The next time you browse to the domain, you will be prompted as show below…
That’s it!
You may also like the post below:
Protect Nginx Directories with Apache2 HTTP Basic Authentication on Ubuntu 16.04 LTS