Basic access control in Apache

Apache .htaccess files can be used to block access to specific resources, or to provide minimal security through user name and password authentication.

You can use a .htaccess file in any folder of your website, and it will apply to any subfolders. A single .htaccess file placed in the root of your domain can apply to the entire website. While this is advantageous for blocking access to files, you’re going to need a seperate .htaccess in each subfolder that you want to password protect.

Blocking access to resources

# block access to all .ht* files
<files ~ "^\.ht">
    Order allow,deny
    Deny from all

# block access to wp-config
<files wp-config.php>
	Order allow,deny
	Deny from all

This blocks access to all files that begin with .ht, as well as the wp-config.php file. You can use this type of definition to block access to any file or folder of your choosing.

If you’re running WordPress, ideally you should move your wp-config.php file to a location on your server that is above the root of your domain; It contains security information that you really don’t want somebody getting access to.

Password protecting files and directories

This is not a terribly good method of protecting your content, as none of the data is encrypted as you access it. In addition, unless you use digest mode, your user name and password are sent in the clear every time you type them in.

Creating users and passwords

First, you need to create some user names and passwords and store them in a .htaccess file.

% cd /home/username/webapps/
  htpasswd -c .htpasswd user1
  Adding password for user1.
  New password:  pass
  Re-type new password:  pass

% chmod a+r .htpasswd

Switch to the root folder of your domain, and run the htpasswd command with -c to create a new password file, with user1 as a user. Then type in a password for that user. Finally you chmod the file to ensure it has the proper permissions.

You can add additional users to the file by simply using the above command without the -c option. You can also create groups of users, by creating a file called .htgroup and that looks like so:

my-users: user1 user2 user3 user4

You should ideally put your .htpasswd file in a location that isn’t accessible from your website, such as your home directory.

Setting up the authentication (Basic)

AuthType Basic
AuthName "My Protected Folder"
AuthUserFile /home/username/webapps/
AuthGroupFile /dev/null
Require valid-user

AuthType we’re using is Basic (password sent in the clear).

AuthName is an arbitrary name you assign to your protected content. If you protect multiple directories, and give each directory the same AuthName, then the user will only be required to entire their information once; They will then be granted access to all the directories.

AuthUserFile is the location of the .htpasswd file, which grants users listed in this file access.

AuthGroupFile is the location of the .htgroup file, if you wish to grant a group of users access. In this case I’m defining a null group.

Require can list either specific user names group names, or any valid user or group from the Auth files.

Setting up authentication (Digest)

This is slightly more secure than Basic mode, as your password is sent as an md5 hash rather than in the clear. To use Digest mode, use the following code:

AuthType Digest
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /home/username/webapps/
AuthName "My Protected Folder"
Require valid-user

You will need a new password file, which can be created using htdigest. Follow the same steps used when creating the .htpasswd file, the syntax for the command is the same.

One Response to “Basic access control in Apache”

  1. Big thumbs up – thanks!

Leave a Reply

Comments from new authors must be approved before they will appear.
After your first comment is approved, you are free to comment at will.