Apache .htaccess directory access protection

When running an Apache web server on a Linux system, there may be some directories that you don’t want everyone in the world to be able to access. Apache gives us a couple of different tools that website administrators can use to protect a directory.

One of the most common ways to configure restricted access to a folder is through the .htaccess file. Doing this configuration will prompt users for a password whenever they come across the protected URL. But we can also configure the same protection without .htaccess.

In this guide, we’ll go over the step by step instructions for protecting a directory on an Apache web server, through two different methods. Follow along with us to get the password protection set up on your own website.

In this tutorial you will learn:

  • How to protect a directory using .htaccess file
  • How to protect a directory without .htaccess file

We are prompted for a username and password when trying to access the protected directory

We are prompted for a username and password when trying to access the protected directory

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software Apache web server
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Protect a directory using .htaccess file



The .htaccess file is a configuration file used by Apache. You can drop an .htaccess file into any directory that you want to configure additional settings for. Follow the steps below to setup password authentication on an Apache web server directory by using an .htaccess file.

  1. Start by creating a username and password that we’ll use in order to enter the protected directory. We’ll use the htpasswd utility to generate this information, and the file can be stored anywhere on your system. In this example, we’ll create a user named linuxconfig. You’ll be prompted for a new password twice when executing this command.
    $ htpasswd -c /home/linuxconfig/.htpasswd linuxconfig
    
  2. Before we can use our new user account and password, we must configure Apache to read the .htaccess file. By default, it will ignore this file. You can either apply this setting globally by editing the Apache configuration file, or edit your Apache virtual host to apply the configuration to an individual site.
    $ sudo nano /etc/apache2/sites-available/000-default
    

    The lines we need to add are below. Just substitute your own directory that you’re trying to protect, in place of our example.

    <Directory /var/www/html/protected/>
    	AllowOverride All
    </Directory>
    


  3. Add the AllowOverride setting in order for Apache to read out .htaccess file

    Add the AllowOverride setting in order for Apache to read out .htaccess file

  4. Restart apache for these new changes to take effect.
    $ sudo systemctl restart apache2
    

    Or on RHEL based systems:

    $ sudo systemctl restart httpd
    
  5. Next, create the .htaccess file in the directory that you wish to protect. In this example, we’ll secure the /var/www/html/protected directory.
    $ nano /var/www/html/protected/.htaccess
    
  6. Paste the following lines in this file, then save your changes.
    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/home/linuxconfig/.htpasswd"
    Require user linuxconfig
    

    Alternatively, change the last line to Require valid-user if you plan to set up multiple user accounts that will access this directory.

  7. Finally, navigating to the protected directory in browser should prompt us for a username and password before we can access the contents.
  8. We are prompted for a username and password when trying to access the protected directory

    We are prompted for a username and password when trying to access the protected directory



Protect a directory without .htaccess file

We can secure a directory on our web server without needing to use an .htaccess file at all. You’ll need the htpasswd utility installed on your system, which should have been installed automatically when you downloaded Apache. Follow the steps below to see how to use it to create a password protected web directory.

  1. Start by configuring your virtual host file to use authentication for access to the directory that you want to protect. We’re just editing the default configuration file, but replace the file name with the name of your own.
    $ sudo nano /etc/apache2/sites-available/000-default.conf
    
  2. Place the following lines inside your file. The directory we are trying to protect is /var/www/html/secret, but make sure you change this setting to reflect the direcrtory that you wish to protect. Our .htpasswd authentication file is located in /home/linuxconfig/.htpasswd, so make sure you also substitute your own location for this.
    <Directory /var/www/html/secret/>
            AuthType Basic
            AuthName "Authentication Required"
            AuthUserFile "/home/linuxconfig/.htpasswd"
            Require valid-user
    </Directory>
    
  3. Add authentication settings to Apache virtual host file

    Add authentication settings to Apache virtual host file

  4. Next, generate the authentication file by executing the htpasswd command. Again, substitute your own directory and decide where this file should be stored on your system. We will be creating authentication for user linuxconfig in this example.
    $ htpasswd -c /home/linuxconfig/.htpasswd linuxconfig
    


    You’ll be prompted to enter a password twice, and then the file will be created. Your password is stored as an encrypted hash, which you can view inside the file.

    $ cat /home/linuxconfig/.htpasswd 
    linuxconfig:$apr1$lYH8Fue2$9En2dqIrKbsLjb0XRc9cl0
    
  5. Restart apache for these new changes to take effect.
    $ sudo systemctl restart apache2
    

    Or on RHEL based systems:

    $ sudo systemctl restart httpd
    
  6. Now, accessing the protected directory we configured earlier should prompt you for a username and password.
  7. We are prompted for a username and password when trying to access the protected directory

    We are prompted for a username and password when trying to access the protected directory

Closing Thoughts

In this guide, we saw how to secure a web server directory by using two different methods in Apache. Apache gives us simple and powerful ways to protect directories and files, allowing us to put private files on our website without worrying about the wrong person accessing them. Whether you choose to use an .htaccess file or not, securing a directory is a short task that only takes a few steps.



Comments and Discussions
Linux Forum