Apache : Password Protecting Folders using .htaccess

27 / Dec / 2012 by raj 1 comments

When a user requests a site hosted on apache, Apache first looks for the default file which is generally named “index.html” or “index.php” or something like that in the root directory. We can set/change this order by adding the following directive in the configuration file (present in /etc/apache2/sites-available folder in ubuntu) of the site:

<Directory /var/www/site1/>
    DirectoryIndex index.php index.html first.php

Here /var/www/site1/ is the root directory which contains the site files and folders. We will need to restart apache for the above change to take effect.
Now, apache will first look for a file named “index.php”. If it is found, it will be rendered to the user. If it is not found then apache will look for “index.html” and so on. However, if none of the above listed files are found in the root directory, then apache will simply list all the files and folders present in the root directory.

If the site contains sensitive files, it is not secure to show list of files to every visitor. In that case, we can hide the listing of files and folders by changing the configuration file as:

<Directory /var/www/site1/>
	Options -Indexes

Here, we are simply turning off listing of files and folders by using Options -Indexes. But this is not always the desired scenario. Sometimes, we want to show the directory listing to few users and hide it from others. In that case we can password protect the directory listing such that only authorized users can view the list. Here is how to do it:

1. Create a file named .htaccess in the root directory (if it’s not already there). I created it in /var/www/site1 folder.

2. Insert the following lines into .htaccess file:

AuthType Basic
AuthName "Please enter your credentials"
AuthUserFile /var/.htpasswd
Require valid-user

AuthType Basic : It enables the basic authentication

AuthName “Please enter your credentials” : This will appear as a message when user tries to access the directory.

AuthUserFile /var/.htpasswd :

htpasswd is a apache command line utility to create .htpasswd file. If it is not already installed, we can install it by

sudo apt-get install apache2-utils

.htpasswd is the file that will store the usernames and passwords (filename can be anything but it is a good convention to use .htpasswd as filename). We can also create this file inside the root directory of the site (or location of our choice) but the best place to put this file in is /var directory for security reasons. We can create this file by the following command:

htpasswd -c /var/.htpasswd user1

Here we are creating the .htpasswd file and creating a user with username user1. Then it will prompt for password. The password is stored in encoded form.
We can add more users by the following command:

htpasswd /var/.htpasswd user2

Require valid-user : It allows only those users whose entry exists in .htpasswd to login and view the listing.

Now, when the user tries to access the root directory of the site, the following screen will appear:


Raj Gupta


comments (1 “Apache : Password Protecting Folders using .htaccess”)

Leave a comment -