Password-protecting a page in Apache Revision as of Monday, 21 December 2015 at 02:30 UTC

Pre-Flight

Working with Apache password files

Creating a .htpasswd file

Let’s add Ben

 [user@example snort]# htpasswd -c .htpasswd ben
 New password: 
 Re-type new password: 
 Adding password for user ben

Adding more users

Vitally important to omit the -c flag. Not doing so will truncate
the original file!

 [user@example snort]# htpasswd .htpasswd roger
 New password: 
 Re-type new password: 
 Adding password for user roger

Removing users

Edit the .htpasswd file and remove the line containing the user

Changing user passwords

Precisely the same as adding users. htpasswd will figure out that
you’re trying to update a password:

 [user@example snort]# htpasswd .htpasswd roger
 New password: 
 Re-type new password: 
 Updating password for user roger

Using .htaccess to tie it all together

Create a file called .htaccess and add the following basic options
(there are tons more) to use your password file:

 AuthUserFile /full/path/to/.htpasswd
 AuthGroupFile /dev/null
 AuthName "Enter your credentials to view this page"
 AuthType Basic
 
   require valid-user
 

Security Considerations

On a UNIX box, the crypt function is used to store passwords. I
recommend using the SHA algorithm instead:

 [user@example snort]# htpasswd -c .htpasswd ben -s

A crucially important consideration is that all this is done in
plaintext
. Use SSL.

Further Reading