Password-protecting a page in Apache

Pre-Flight

  • Speak to the sysadmin to check if the server‚Äôs Apache config
    allows overrides. Basically, the AllowOverrides directive must be
    set to all.
  • Your password file can be called anything (i.e. not necessarily
    .htpasswd). I’m going to stick to .htpasswd since it’s standard.

Working with Apache password files

Creating a .htpasswd file

Let’s add Ben

[user@example snort]# htpasswd -c .htpasswd ben  
New password:   
Re-type new password:   
Adding password for user ben

Adding more users

Vitally important to omit the -c flag. Not doing so will truncate
the original file!

[user@example snort]# htpasswd .htpasswd roger  
New password:   
Re-type new password:   
Adding password for user roger

Removing users

Edit the .htpasswd file and remove the line containing the user

Changing user passwords

Precisely the same as adding users. htpasswd will figure out that
you’re trying to update a password:

[user@example snort]# htpasswd .htpasswd roger  
New password:   
Re-type new password:   
Updating password for user roger

Using .htaccess to tie it all together

Create a file called .htaccess and add the following basic options
(there are tons more) to use your password file:

AuthUserFile /full/path/to/.htpasswd  
AuthGroupFile /dev/null  
AuthName "Enter your credentials to view this page"  
AuthType Basic  
<Limit GET>  
  require valid-user  
</Limit>

Security Considerations

On a UNIX box, the crypt function is used to store passwords. I
recommend using the SHA algorithm instead:

[user@example snort]# htpasswd -c .htpasswd ben -s

A crucially important consideration is that all this is done in
plaintext
. Use SSL.