Contents[Hide]

If you would ever need to shield your website from a public access, know that apache .htaccess file provides a simple and yet powerful way to accomplish it. This article teaches you just that in simple to follow steps.

As a first step we need to make sure that our website configuration will read .htaccess files. To do that check your httpd.conf file or your website apache setting whether it contains a directive:

 AllowOverride ALL

On a Ubuntu / Debian system this directive defaults to “none”.

Options Indexes FollowSymLinks MultiViews
AllowOverride ALL
Order allow,deny
allow from all

If have made some changes restart your apache web server:


# /etc/init.d/apache2 restart

1. AuthType Basic - Single user

This configuration will allow only a single user with a username “lilo” to access .htaccess protected website directory. First, we need to create a passwords file. This file will simply contain a single line to define an user and his/her password in a md5 hash form. Execute following commands to create password file:

Note: You do not have to use -m option to use MD5 passwords.

# mkdir /usr/local/apache 
# htpasswd -bcm /usr/local/apache/passwords lilo password-here 

Next, we deploy a Basic authentication for a single user with username lilo. This means only user lilo will be able to access your .htaccess protected website. Alter or create .htaccess file within a directory you wish to protect with a following content:

AuthName ".htaccess protected website"
AuthType Basic
AuthUserFile /usr/local/apache/passwords

require user lilo     

2. AuthType Basic - Multiple users

This is essentially same configuration as for a single user configuration above, except that we need to change one .htaccess line:

From:

require user lilo 

To:

require valid-user

So you will end up with:

AuthName ".htaccess protected website"
AuthType Basic
AuthUserFile /usr/local/apache/passwords

require valid-user

Now, we can add more users to our previously created passwords file. However this time we will omit -c option so we do not overwrite our previously created /usr/local/apache/passwords file. Let’s add another two users:

# htpasswd -bcm /usr/local/apache/passwords john password-here
# htpasswd -bcm /usr/local/apache/passwords peter password-here
 

3. AuthType Digest

One disadvantage of basic .htaccess authentication is that the passwords are sent as a clear text over the Internet. This makes it easy to intercept and abuse. With a digest authentication your passwords will be sent encrypted in md5 hash form. Let’s create .htaccess protection to allow only lilo user to access our website: First we need to create a passwords digest file but this time with htdigest command:

htdigest -c /usr/local/apache/digest-passwords ".htaccess protected website" lilo

Note: The string ".htaccess protected website" is a realm and this will be displayed on a dialog box when an attempt is made to access .htaccess protected website. This string must match a AuthName directory below. You can change realm string to anything you like: Alter or create a .htaccess file with a following content:

AuthType Digest
AuthName ".htaccess protected website"
AuthUserFile /usr/local/apache/digest-passwords

require user lilo

To let multiple users access your website change:

From:

require user lilo

To:

require valid-user

and ad another users to your /usr/local/apache/digest-passwords with:

htdigest /usr/local/apache/digest-passwords ".htaccess protected website" john
htdigest  /usr/local/apache/digest-passwords ".htaccess protected website" apache

4. Troubleshooting

Error:

/var/www/.htaccess: Invalid command 'AuthDigestFile', perhaps misspelled or 
defined by a module not included in the server configuration

AuthDigestFile is used only by apache version < 2.2. For apache version > 2.2 use AuthUserFile directive



Free Linux eBooks

Go to top