Basic Authentication with Apache | WebReference

Basic Authentication with Apache

By Sukrit Dhandhania


Over the past decade or so, Apache has more than proven itself as a great web server. It's flexible, fast, well-documented, free, and serves millions of web pages on the Internet every day. Apache can be configured to protect either the whole website or just certain sections of it, allowing access only to a few authorized users. This can be done by creating users and setting up a user authentication system so that when someone goes to a protected section of the website they are asked to enter a username and a password. Let's take a look at how this can done.

There are two steps involved in setting up a user authentication system with Apache. First, you need to create the users along with passwords and have this information stored in a password file. Then you need to configure Apache and tell it which sections of the website you want protected and which users should be allowed access.

Create Users

Let's begin by creating two users, calvin and hobbes. We'll store the username and password combination in a password file at /etc/users. Feel free to store this information at another location if you like, as there's no standard location for it. We will use htpasswd, a tool to create and manage users, to create these users. Run the following command to create your first user, calvin:

htpasswd will prompt you to enter a password, and then ask you confirm it. Note the use of the -c flag in the command shown above. This flag tells htpasswd to create the file /etc/users. This is only required when you need to create a new password file. Subsequent users can be added to this password file without the use of the -c flag. Note that using the -c flag with htpasswd on an existing file will clear the file's contents completely and create a new one. So be careful while using this flag.

Now create the second user, hobbes, without the -c flag:

Look at the contents of the password file at /etc/users. It will look something like this:

The first half of each line contains the username. The second half is the encrypted password. The passwords are stored in an encrypted form so that anyone having access to the password file will find it extremely difficult if not impossible to guess a user's password. However, this kind of encryption may not be enough security. A good security measure is to change the permissions of the file and make sure that only the root user can write to the file. This way no one can replace a user's password with his own password and gain access to a restricted area of the website.

Windows users can secure the password file in a similar manner. You can access the permissions preference pane by right-clicking on the file and choosing Properties. Only the web server user should be able to write to the password file. Make sure that other users cannot even read it.

Server Configuration

After creating the password file with the users calvin and hobbes you need to configure the Apache server and tell it which section of the site requires user authentication. There are two ways by which you can configure Apache. You can either directly edit Apache's main configuration file, httpd.conf, and the support configuration files, or you can create a .htaccess file and setup authentication on a per-directory basis. You can learn more about the .htaccess approach in the Apache documentation. You might need to use this method if you are using a shared hosting environment.

Let's look at how you would go about configuring Apache to setup user authentication for a section of the website which is in a directory with the name protected-area. Here's the configuration you would need to add to your httpd.conf:

If you want to go the .htaccess route, create a file with that name in the protected-area directory and enter the following configuration into it:

Let me break the configuration down for you and explain each section.


The location of the password file. In this case /etc/users.


The authentication realm or name. This is the message that the user will see in the username/password pop-up.


The location of the group file, if any. We'll get to groups soon.


The type of authentication being used. In this case, it is set to Basic.


What conditions need to be satisfied in order to allow the user through. It could be more than one condition.

After making the changes to Apache's configuration files you need to restart Apache for the new settings to kick in. Linux users can run the following command to restart Apache:

Windows users can restart it from the Control Panel.

Test the new user authentication settings by accessing the protected-area section of your website in your web browser. The phrase "This is a protected area" will be displayed in the password pop-up box where you will need to enter the username and password of a valid user.