Password-protecting a page in Apache Revision as of Monday, 21 December 2015 at 02:30 UTC
Pre-Flight
- Speak to the sysadmin to check if the server’s Apache config
allows overrides. Basically, theAllowOverrides
directive must be
set toall
. - Your password file can be called anything (i.e. not necessarily
.htpasswd
). I’m going to stick to.htpasswd
since it’s standard.
Working with Apache password files
Creating a .htpasswd
file
Let’s add Ben
[user@example snort]# htpasswd -c .htpasswd ben
New password:
Re-type new password:
Adding password for user ben
Adding more users
Vitally important to omit the -c flag. Not doing so will truncate
the original file!
[user@example snort]# htpasswd .htpasswd roger
New password:
Re-type new password:
Adding
password for user roger
Removing users
Edit the .htpasswd
file and remove the line containing the user
Changing user passwords
Precisely the same as adding users. htpasswd
will figure out that
you’re trying to update a password:
[user@example snort]# htpasswd .htpasswd roger
New password:
Re-type new password:
Updating
password for user roger
Using .htaccess
to tie it all together
Create a file called .htaccess
and add the following basic options
(there are tons more) to use your password file:
AuthUserFile /full/path/to/.htpasswd
AuthGroupFile /dev/null
AuthName "Enter your credentials to view this page"
AuthType Basic
require valid-user
Security Considerations
On a UNIX box, the crypt
function is used to store passwords. I
recommend using the SHA algorithm instead:
[user@example snort]# htpasswd -c .htpasswd ben
-s
A crucially important consideration is that all this is done in
plaintext. Use SSL.