Jan 032000

Protected Apache directories

This article tells you how you can create password protected directories on your website.  First we will add a user, then we will give them access to a directory.

NOTE: You will need at least AllowOverride AuthConfig on the directory you are trying to protect.


<Directory "/path/to/protected/directory">
        AllowOverride AuthConfig

The above goes into the section of your apache configuration file (either http.conf or apache.conf depending on your installation) for the website in question.   Something like this:

        <Directory "/path/to/protected/directory">
                AllowOverride AuthConfig

See also the bit about symlinks.

Password file

Apache uses a password file.  Each user will have an entry in that file.

The first step is creating a password file.  Your website may already have one.  You might want to use that.  The -c option creates a new file and deletes it if it exists.  I was lucky and it was already on my machine.   However, I’ve seen many messages in the mailing list which showed that some people were having trouble creating it.  I will eventually find out how to install this program.  I found mine at:


Here’s how I added dan as a user.  You may have to supply the full path name as shown above.  You can always issue a locate htpasswd to find it.

$ htpasswd -c httpd_access dan
Adding password for dan.
New password:
Re-type new password:

The above creates a file httpd_access.  Within that file you will find something like this:


This contains the encrypted password I entered above (don’t bother trying to crack it, I made that string up).  The contents of this file needs to be added to the AuthUserFile as indicated by .htaccess.  See the next section for more information.

Protecting the directory

The basis of directory protection within Apache is the .htaccess file.   Here is a working example to get you going.  I added this file to a directory I wished to protect.

# -FrontPage-

IndexIgnore .*
AuthName protectthis
AuthUserFile  /home/susan/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/susan/public_html/_vti_pvt/service.grp
AuthType Basic
<Limit GET>
    require user susan

With the above configuration, only susan can get access to this directory.  You an also use groups or just all any user.  The following statement would allow any valid user access to the directory.

require valid-user

You also need the service.pwd and service.grp files.  Here are some examples (again, I made up these encrypted passwords):

administrators: admin
If your AuthUserFile and AuthGroupFile already exist, you should use them.   Otherwise you can use these examples to create your own.

If you are adding a new user, as in the previous section, you can just add the output from htpasswd to the end of service.pwd.

For more information on this type of configuration, please try the following resources within the Apache manual.  Particularly the Run-time configuration directives.

Problems I found

One day I tried adding access restrictions to a whole website using the above instructions.  I had trouble.  I kept getting the following error:
Internal Server Error

The server encountered an internal error or misconfiguration
and was unable to complete your request.

Please contact the server administrator, dan@rock.ghis.net
and inform them of the time the error occurred, and anything
you might have done that may have caused the error.

More information about this error may be available in the 
server error log.

Apache/1.3.9 Server at myhost.mydomain.org Port 80

But I found no help in neither my access logs nor my error logs.  Eventually I read the manual entry for require and discovered that my .htaccess file did not have an AuthType directive.  I added that in and all was well.

See also the symlink issues in the next section.

Symbolic links (added on 19 September 2000)

If you have a symbolic link, sometimes that screws things ups.  Let’s assume /www is symlinked to /usr/local/apache,   and each of your virtual hosts is a sub-directory in /usr/local/apache.   You are trying to protect /www/mydomain/secret.  You should put your AllowOverride on /www/mydomain/secret, not /usr/local/apache/mydomain/secret.   Basically, use the pathname as found in the vhost declaration., regardless of any symlinks.

A final word

In hindsight, I think this article assumes a bit too much.  For example, it assumes you already have the AuthUserFile and the AuthGroupFile.  I suggest you read the article http://www.sheamus.force9.co.uk/user/password.html as well.  It might give you enough.  If it doesn’t, add your comments.

28 March 2000 – This seems to be a good resource for this topic: http://kb.indiana.edu/data/abeq.html?cust=2008