Password Protecting Directories and Files in Apache

Sometimes you may need to distribute files to various users over the Internet. Instead of giving each user a separate account, it is often easier to put the files on a Web page and use Apache's htpasswd to control the remote access.

Step 1: Create a file named .htaccess in the directory you want to protect.

AuthName "Password protected files"
AuthType Basic
AuthUserFile /home/somewhere/.htpasswd
Require valid-user

Keep the .htpasswd file someplace secure where it is not accessible by a browser. Set its permissions so Apache can read it.

Step 2: Create the new user

cd /home/somewhere/
htpasswd -m .htpasswd username
The '-m' option uses Apache's modified MD5 algorithm to encrypt the password. This will allow the password file to be used with Apache on any operating system.

If the .htpasswd file doesn't exist, use this command instead:
htpasswd -cm .htpasswd username

which will create a new .htpasswd file and delete the old one.

Step 3: Edit httpd.conf

Change the AllowOverride option
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#    AllowOverride None
    AllowOverride AuthConfig Limit

and restart Apache. This only needs to be done once.


Sometimes it can be tricky to get Apache to block a directory, especially if it's in the DocumentRoot folder, because other directives in the httpd.conf file counteract it. The usual solution is to place the protected files in a directory outside of the Apache area altogether.

Another annoyance is that once you've typed a valid password, it's necessary to stop and re-start your browser before Apache asks for the password again.

The AllowOverride option can also be placed in your httpd.conf file. Here's an example:
<Directory "/usr/local/awstats/wwwroot">
    Options None
    AllowOverride AuthConfig
    AuthName "Password Protected Files"
    AuthType Basic
    AuthUserFile /usr/local/httpd/.htpasswd
    Require valid-user
This directory can be anywhere in your filesystem. You can also password protect individual files by specifying "Files" instead of "Directory".