If you want to have your website have user/password restrictions, you must have Apache installed and running. There are only 2 steps to this:
1. create a file with user names and passwords
2. tell the server what you want to be protected and which users are allowed
For the first step, you will use the program
htpasswd. It creates a user file and can add or modify users. For security reasons, you should not create the file under the root directory. For example, made it under
/usr/local/etc/httpd/ and will use this to show examples. To create a new user file and add the username “xyz” with the password “abc123” to the file
htpasswd -c /usr/local/etc/httpd/users josh
htpasswdto create a new users file. After you run this command, you will be prompted for a password for xyz, and confirm it by entering again. You can add other users the same way but without the “-c” option. You can also use the same command to modify the password of an existing user. When looking at the
/usr/local/etc/httpd/users file, it might look like this:
The first field is your username, second, being your encrypted password.
To get the server to use the usernames and passwords from the file you just made, you need to create a file called “.htaccess” in the directory you want to be secured. In this file you need to write:
AuthName "restricted stuff"
require user xyz dummy
Ok, now to explain that…The first directive, Authname, specifies the realm name for this protection. A realm is the section of your site that you want to be restricted. Once a user has entered a valid username and password, any other resource within the same realm name can be accessed with the same username and password. This can be used to create 2 areas which share the same username and password.
The AuthType directive tells the server what protocol is to be used for authentication. Right now Basic is the only method available.
AuthUserFile tells the server the location of the user file created by
The last directive, require user xyz, tells the server that only the users xyz and dummy can access the restricted source.
That’s pretty much it, you might want to play with the access.conf file in /etc/httpd/conf/. Here’s what an example looks like:
## access.conf — Apache HTTP server configuration file
# access.conf: Global access configuration
# Online docs at
# This file defines server settings which affect which types of services
# are allowed, and in what circumstances.
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
# Originally by Rob McCool
# First, we configure the “default” to be a very restrictive set of
# Note that from this point forward you must specifically allow
# particular features to be enabled – so if something’s not working as
# you might expect, make sure that you have specifically enabled it
# This should be changed to whatever you set DocumentRoot to.
# This may also be “None”, “All”, or any combination of “Indexes”,
# “Includes”, “FollowSymLinks”, “ExecCGI”, or “MultiViews”.
# Note that “MultiViews” must be named *explicitly* — “Options All”
# doesn’t give it to you.
Options Indexes Includes FollowSymLinks
# This controls which option the .htaccess files in directories can
# override. Can also be “All”, or any combination of “Options”, “FileInfo”,
# “AuthConfig”, and “Limit”
# Controls who can get stuff from this server.
order allow, deny
allow from all
/home/httpd/cgi-bin should be changed to whatever your ScriptAliased
# CGI directory exists if you have that configured.
# Allow server status reports, with the URL of
# Change the “.your_domain.com” to match your domain to enable.
#order deny, allow
#deny from all
#allow from .your_domain.com
# Allow access to local system documentation from localhost
order deny, allow
deny from all
allow from localhost
Options Indexes FollowSymLinks
# There have been reports of people trying to abuse an old bug from pre-1.1
# days. This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org. Or, you can record them yourself, using the script
#deny from all
# You may place any other directories or locations you wish to have
# access information for after this one.