Protected Apache directories – added more detail

Protected Apache directories

This article tells you how you can create password protected directories on your
website.  First we will add a user, then we will give them access to a directory.

You will need at least AllowOverride AuthConfig on the directory you are trying to


<Directory "/path/to/protected/directory">
        AllowOverride AuthConfig

The above goes into the section of your apache configuration file (either http.conf
or apache.conf depending on your installation) for the website in question.
  Something like this:

        <Directory "/path/to/protected/directory">
                AllowOverride AuthConfig

See also the bit about symlinks.

Password file

Apache uses a password file.  Each user will have an entry in that file.

first step is creating a password file.  Your website may already have one.  You
might want to use that.  The -c option creates a new file and deletes it
if it exists.  I was lucky and it was already on my machine.   However, I’ve
seen many messages in the mailing list which showed that some people were having trouble
creating it.  I will eventually find out how to install this program.  I found
mine at:


Here’s how I added dan as a user.  You may have to supply the full path name as
shown above.  You can always issue a locate htpasswd to find it.

$ htpasswd -c httpd_access dan
Adding password for dan.
New password:
Re-type new password:

The above creates a file httpd_access.  Within that file you will find
something like this:


This contains the encrypted password I entered above (don’t bother trying to crack it,
I made that string up).  The contents of this file needs to be added to the AuthUserFile
as indicated by .htaccess.  See the next section for more information.

Protecting the directory

The basis of directory protection within Apache is the .htaccess file.
  Here is a working example to get you going.  I added this file to a directory
I wished to protect.

# -FrontPage-

IndexIgnore .*
AuthName protectthis
AuthUserFile  /home/susan/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/susan/public_html/_vti_pvt/service.grp
AuthType Basic
<Limit GET>
    require user susan

With the above configuration, only susan can get access to this directory.  You an
also use groups or just all any user.  The following statement would allow any valid
user access to the directory.

require valid-user

You also need the service.pwd and service.grp files.  Here
are some examples (again, I made up these encrypted passwords):

administrators: admin

If your AuthUserFile and AuthGroupFile already exist, you should use them.  
Otherwise you can use these examples to create your own.

If you are adding a new user,
as in the previous section, you can just add the output from htpasswd to the end
of service.pwd.

For more information on this type of configuration, please try the following resources
within the Apache manual.  Particularly the Run-time configuration directives.

Problems I found

One day I tried adding access restrictions to a whole website using the above
instructions.  I had trouble.  I kept getting the following error:

Internal Server Error

The server encountered an internal error or misconfiguration
and was unable to complete your request.

Please contact the server administrator,
and inform them of the time the error occurred, and anything
you might have done that may have caused the error.

More information about this error may be available in the 
server error log.

Apache/1.3.9 Server at Port 80

But I found no help in neither my access logs nor my error logs.  Eventually I
read the manual entry for require
and discovered that my .htaccess file did not have an AuthType
directive.  I added that in and all was well.

See also the symlink issues in the next section.

Symbolic links (added on 19 September 2000)

If you have a symbolic link, sometimes that screws things ups.  Let’s assume /www
is symlinked to /usr/local/apache,   and each of your virtual hosts is a
sub-directory in /usr/local/apache.   You are trying to protect /www/mydomain/secret
You should put your AllowOverride on /www/mydomain/secret, not /usr/local/apache/mydomain/secret.
  Basically, use the pathname as found in the vhost declaration., regardless of any

A final word

In hindsight, I think this article assumes a bit too much.  For example, it
assumes you already have the AuthUserFile and the AuthGroupFile.  I suggest you read
the article
as well.  It might give you enough.  If it doesn’t, add your comments.

March 2000
– This seems to be a good resource for this topic:

Leave a Comment

Scroll to Top