Page 1 of 1

Password protect a Linux web directory

PostPosted: Tue May 31, 2011 12:33 pm
by admin
Step 1. Configure Apache to Allow Access Authorization
You need to find the httpd.conf file on your Linux server.

This file is the Apache web server configuration file that includes lots of very useful Apache web server controls.

For now, simply open it using a text editor. For Fedora users this is done by simply going to /etc/httpd and opening httpd.conf. For others using various flavors, try using this command to identify the location of the httpd.conf file and edit it: locate httpd.conf

Once you open this file using a text editor, please scroll down until you see not the first but the second occurance of this text: AllowOverride None

Change the line that says:
AllowOverride None
to instead say:
AllowOverride AuthConfig

Be sure to NOT CHANGE THE first occurance of this in the apache file which is the default. Change the second occurance which is actually the overide. This is VERY IMPORTANT! If you run into trouble make a backup of your httpd.conf file (type: cp httpd.conf httpd.conf.back) and then try using this example. Be sure to reboot the server after you copy our example file.

Step 2. Identify the Folder/Directory to Protect
You should now identify which folders (aka Directories) under your web server you would like to protect. For instance if I want to only allow a certain list of users to access my html files under the Private folder it would look something like the following.

On the Linux server the actual directory path would be:
/var/www/html/Private


Obviously, I'm giving an example to help you see the difference between the folder/directory name on the Linux server and how it looks to web browsers. You MUST change to the appropriate directory/folder when using the steps below. So in my case I type this command first before beginning on my Fedora server:
cd /var/www/html/Private

Step 3. Add Access Files to the Folder
Once you identify the folder you wish to safeguard, then you need to create two files in this folder. The files are: .htaccess and .htpasswd. The .htaccess file displays the access login information needed for users and also includes the list of specific users who can login. The .htpasswd file includes the individual users and their passwords.

Create .htaccess file in your Folder by using a text editor to create .htaccess. Notice that you must include the . (dot) before the file name!

The file should atleast include these lines:
AuthName "Login to the Private Area"
AuthType Basic
AuthUserFile /var/www/html/Private/.htpasswd
Require user vnlisting


Note that the AuthName requires quotes and whatever is in quotes will display on the login window when a user tries to access your private folder with a web browser. It is vital that you properly set the path for the AuthUserFile and obviously replace the word Private with whatever folder you are trying to password protect.

Also be sure to include the user login names of the people you plan to allow to this folder next to the Require user line. In my case, I simply added myself to this folder as a user (avnlisting).

Now, create the .htpasswd file in the same Folder but NOT by using a text editor. Instead use this command from the command line on your Linux server.

Type this command at the prompt:
htpasswd -cmb .htpasswd vnlisting vn4ever

Note that you must use your own name and password (replace vnlisting and vn4ever) and that the option cmb does the following: First it forces Creating of a new .htpasswd file. Since this is your first time adding a user it is necessary. Next the m option forces encryption and b allows you to include the user name and password immediately. In my case I created a new .htpasswd file, then added the user vnlisting and her password vn4ever.

Step 4. Add Additional Users
To add users you simply need to edit both files again. First, add a user to the .htaccess file by opening it in a text editor and including the new person (my example is friends).

The .htaccess file should include these lines:
AuthName Login to the Private Area
AuthType Basic
AuthUserFile /var/www/html/Private/.htpasswd
Require user vnlisting friends


Remember to save the file when youre done adding the new user!
Now add the user (my example being friends) to the .htpasswd file using this command:
htpasswd mb .htpasswd friends 2theend

In my example, I used the htpasswd command to add using encryption the user friends to the .htpasswd file that already exists and include his password as 2theend. That's it!

Step 5. Test the Password Function
Now test that the Apache server is accepting this new protected folder by going to it in a web browser. In my case I test the url http://your_server.com/Private and up comes a pop-up window that requires User Name and Password. I type in my user name and password and instantly I see the index.html page I put in my folder! People who don't have a login won't get access to your web pages within this folder.

What if it didnt work? Almost always this is a result of the httpd process not being restarted. You can easily restart this process to pick up the changes in your updated httpd.conf file by either rebooting or restarting the process. A reboot works fine, so long as you can tolerate a web server outage for a minute or two. Or, on most flavors you can type this command as root user: ./httpd start

Step 6. What About Removing Users
There may come a time when you need to delete users from the access. You can do this easily enough by again editing the .htaccess file and running a command to delete the user from the .htpasswd file.

First, edit the .htaccess file and remove the user you do not wish to allow access to and save the file.

Second, delete the user from the .htpasswd file by typing this command at the prompt:
htpasswd D friends
The option D is for delete. It should prompt you that user friends was deleted.