Password Protecting Directories and Files in Apache
Sometimes you may need to distribute files to various users over the Internet. Instead of giving each user a separate account, it is often easier to put the files on a Web page and use Apache's htpasswd to control the remote access.
Step 1: Create a file named .htaccess in the directory you want to protect.
AuthName "Password protected files" AuthType Basic AuthUserFile /home/somewhere/.htpasswd Require valid-user
Keep the .htpasswd file someplace secure where it is not accessible by a browser. Set its permissions so Apache can read it.
Step 2: Create the new user
cd /home/somewhere/ htpasswd -m .htpasswd username
If the .htpasswd file doesn't exist, use this command instead:
htpasswd -cm .htpasswd username
which will create a new .htpasswd file and delete the old one.
Step 3: Edit httpd.conf
Change the AllowOverride option
# AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # # AllowOverride None AllowOverride AuthConfig Limit
and restart Apache. This only needs to be done once.
Sometimes it can be tricky to get Apache to block a directory, especially if it's in the DocumentRoot folder, because other directives in the httpd.conf file counteract it. The usual solution is to place the protected files in a directory outside of the Apache area altogether.
Another annoyance is that once you've typed a valid password, it's necessary to stop and re-start your browser before Apache asks for the password again.
The AllowOverride option can also be placed in your httpd.conf file. Here's an example:
<Directory "/usr/local/awstats/wwwroot"> Options None AllowOverride AuthConfig AuthName "Password Protected Files" AuthType Basic AuthUserFile /usr/local/httpd/.htpasswd Require valid-user </Directory>