Contents[Hide]

If you would ever need to shield your website from a public access, know that apache .htaccess file provides a simple and yet powerful way to accomplish it. This article teaches you just that in simple to follow steps.

As a first step we need to make sure that our website configuration will read .htaccess files. To do that check your httpd.conf file or your website apache setting whether it contains a directive:

 AllowOverride ALL

On a Ubuntu / Debian system this directive defaults to “none”.

Options Indexes FollowSymLinks MultiViews
AllowOverride ALL
Order allow,deny
allow from all

If have made some changes restart your apache web server:


# /etc/init.d/apache2 restart

1. AuthType Basic - Single user

This configuration will allow only a single user with a username “lilo” to access .htaccess protected website directory. First, we need to create a passwords file. This file will simply contain a single line to define an user and his/her password in a md5 hash form. Execute following commands to create password file:

Note: You do not have to use -m option to use MD5 passwords.

# mkdir /usr/local/apache 
# htpasswd -bcm /usr/local/apache/passwords lilo password-here 

Next, we deploy a Basic authentication for a single user with username lilo. This means only user lilo will be able to access your .htaccess protected website. Alter or create .htaccess file within a directory you wish to protect with a following content:

AuthName ".htaccess protected website"
AuthType Basic
AuthUserFile /usr/local/apache/passwords

require user lilo     

2. AuthType Basic - Multiple users

This is essentially same configuration as for a single user configuration above, except that we need to change one .htaccess line:

From:

require user lilo 

To:

require valid-user

So you will end up with:

AuthName ".htaccess protected website"
AuthType Basic
AuthUserFile /usr/local/apache/passwords

require valid-user

Now, we can add more users to our previously created passwords file. However this time we will omit -c option so we do not overwrite our previously created /usr/local/apache/passwords file. Let’s add another two users:

# htpasswd -bcm /usr/local/apache/passwords john password-here
# htpasswd -bcm /usr/local/apache/passwords peter password-here
 

3. AuthType Digest

One disadvantage of basic .htaccess authentication is that the passwords are sent as a clear text over the Internet. This makes it easy to intercept and abuse. With a digest authentication your passwords will be sent encrypted in md5 hash form. Let’s create .htaccess protection to allow only lilo user to access our website: First we need to create a passwords digest file but this time with htdigest command:

htdigest -c /usr/local/apache/digest-passwords ".htaccess protected website" lilo

Note: The string ".htaccess protected website" is a realm and this will be displayed on a dialog box when an attempt is made to access .htaccess protected website. This string must match a AuthName directory below. You can change realm string to anything you like: Alter or create a .htaccess file with a following content:

AuthType Digest
AuthName ".htaccess protected website"
AuthUserFile /usr/local/apache/digest-passwords

require user lilo

To let multiple users access your website change:

From:

require user lilo

To:

require valid-user

and ad another users to your /usr/local/apache/digest-passwords with:

htdigest /usr/local/apache/digest-passwords ".htaccess protected website" john
htdigest  /usr/local/apache/digest-passwords ".htaccess protected website" apache

4. Troubleshooting

Error:

/var/www/.htaccess: Invalid command 'AuthDigestFile', perhaps misspelled or 
defined by a module not included in the server configuration

AuthDigestFile is used only by apache version < 2.2. For apache version > 2.2 use AuthUserFile directive



Free Linux eBooks

Do you have the right skills?

Our IT Skills Watch page reflects an up to date IT skills demand leaning towards the Linux and Unix environment. We have considered a number of skills and operating systems.

See the result...

Linux Online Training

Learn to run Linux servers and prepare for LPI certification with Linux Academy. 104 available video lessons with PDF course notes with your own server!

Go to top