Protected Apache directories
This article tells you how you can create password protected directories on your
website. First we will add a user, then we will give them access to a directory.
You will need at least AllowOverride AuthConfig on the directory you are trying to
<Directory "/path/to/protected/directory"> AllowOverride AuthConfig </Directory>
The above goes into the section of your apache configuration file (either http.conf
or apache.conf depending on your installation) for the website in question.
Something like this:
<VirtualHost 192.168.0.78> . . . <Directory "/path/to/protected/directory"> AllowOverride AuthConfig </Directory> . . . </VirtualHost>
See also the bit about symlinks.
Apache uses a password file. Each user will have an entry in that file.
first step is creating a password file. Your website may already have one. You
might want to use that. The -c option creates a new file and deletes it
if it exists. I was lucky and it was already on my machine. However, I’ve
seen many messages in the mailing list which showed that some people were having trouble
creating it. I will eventually find out how to install this program. I found
Here’s how I added dan as a user. You may have to supply the full path name as
shown above. You can always issue a locate htpasswd to find it.
$ htpasswd -c httpd_access dan Adding password for dan. New password: Re-type new password:
The above creates a file httpd_access. Within that file you will find
something like this:
This contains the encrypted password I entered above (don’t bother trying to crack it,
I made that string up). The contents of this file needs to be added to the AuthUserFile
as indicated by .htaccess. See the next section for more information.
Protecting the directory
The basis of directory protection within Apache is the .htaccess file.
Here is a working example to get you going. I added this file to a directory
I wished to protect.
require user susan
With the above configuration, only susan can get access to this directory. You an
also use groups or just all any user. The following statement would allow any valid
user access to the directory.
You also need the service.pwd and service.grp files. Here
are some examples (again, I made up these encrypted passwords):
If your AuthUserFile and AuthGroupFile already exist, you should use them.
Otherwise you can use these examples to create your own.
If you are adding a new user,
as in the previous section, you can just add the output from htpasswd to the end
Problems I found
One day I tried adding access restrictions to a whole website using the above
instructions. I had trouble. I kept getting the following error:
Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, email@example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Apache/1.3.9 Server at myhost.mydomain.org Port 80
But I found no help in neither my access logs nor my error logs. Eventually I
read the manual entry for require
and discovered that my .htaccess file did not have an AuthType
directive. I added that in and all was well.
See also the symlink issues in the next section.
Symbolic links (added on 19 September 2000)
If you have a symbolic link, sometimes that screws things ups. Let’s assume /www
is symlinked to /usr/local/apache, and each of your virtual hosts is a
sub-directory in /usr/local/apache. You are trying to protect /www/mydomain/secret.
You should put your AllowOverride on /www/mydomain/secret, not /usr/local/apache/mydomain/secret.
Basically, use the pathname as found in the vhost declaration., regardless of any
A final word
In hindsight, I think this article assumes a bit too much. For example, it
assumes you already have the AuthUserFile and the AuthGroupFile. I suggest you read
the article http://www.sheamus.force9.co.uk/user/password.html
as well. It might give you enough. If it doesn’t, add your comments.
March 2000 – This seems to be a good resource for this topic: http://kb.indiana.edu/data/abeq.html?cust=2008