Apache password protect directory

Password protect a directory on Apache is another syntax I use intermittently enough to forget the exact syntax. This assumes you have command-line access to your server to create the password file. If you are using the apache config in an htaccess file (easiest but not the best for production sites), make sure you have the appropriate apache permissions for that directory (AllowOverride).

first, create (-c) or update the password file:

htpasswd [ -c ] [ -m ] [ -D ] passwdfile username

-c Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.
-m Use MD5 encryption for passwords. On Windows, Netware and TPF, this is the default.
-D Delete user. If the username exists in the specified htpasswd file, it will be deleted.

Then, update apache config (or htaccess):

AuthUserFile /var/www/path/to/.htpasswd
AuthName "Title for Protected Site"
AuthType Basic
Require valid-user

You can also allow from just certain IP addresses or domains either instead or in addition to user/pass. A whole or partial IP can be specified like so:

Allow from apache.org
Allow from
Allow from 10 172.20
Allow from 2001:db8::a00:20ff:fea7:ccea

(Note that IP and domain info can be faked pretty easily, so this method should not be used on anything too sensitive. In those cases, a public-private key/browser certificate system is best.)

There are also times that you want to restrict access to or from certain user agents. This can be done like so:

SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
<Directory /docroot>
Order Deny,Allow
Deny from all
Allow from env=let_me_in

for more info on htaccess see: Apache Tutorial: .htaccess files

One Response to “ “Apache password protect directory”

  1. lars says:

    to enable .htaccess:

    <directory /var/www/public_html >
          AllowOverride all

Leave a Reply