Apache authentication

Authenticating with password in Apache

Contents

Introduction

You will probably want to protect certain parts of your domestic web page. This means restricting access only for certain visitors. You can develop the authentication method in the web page. However the server itself can also be used to restrict access. In this tutorial I will show you how to protect with password assets on an apache web server running on Raspbian Stretch.

Creating a password file

Before starting, if you are going to send passwords through internet I will strongly recommend to follow this post and force traffic encryption. Otherwise your username and password will travel as plain text thought internet.

In order to create the file containing the usernames and passwords you will need htpasswd. This util is included in apache2-utils package. If you haven’t already installed it, just do:

sudo apt-get install apache2-utils

To create a new password file for user dummy type:

sudo htpasswd -c /home/dummy/.htpasswd dummy

This command will place a hidden file in the home directory of the dummy user. It will ask you to supply and confirm a password for the user. If you want to add an additional user remove the -c parameter from the command:

sudo htpasswd /home/dummy/.htpasswd dummy2

If you open the file, you will the the usernames followed by the encrypted password.

Configuring Apache password authentification

Now you need to configure apache to check this file before serving the protected content. There are two ways to do this. An option is editing the virtual host file. Other option is creating an .htaccess file in the directories that need protection. I chose the first option myself. It offers better performance as it avoids the expense of reading distributed configuration files.

First open your virtual host file, usually located in /etc/apache2/sites-enabled/. If you are using only HTTPS, then include your modification in default-ssl.conf. Otherwise the default virtual host file is named 000-default.conf. Open the file with your favourite text editor. Just type the following lines:

sudo vi /etc/apache2/sites-enabled/000-default.conf

  ...
  <Directory "/var/www/html/restricted_directory">
      AuthType Basic
      AuthName "Password Required"
      AuthUserFile /home/dummy/.htpasswd
      Require valid-user
  

Authentication is done on a per-directory basis. So if you want to restrict to different directories, you will have to create a new Directory block. Within each directory block, specify that we wish to set up Basic authentication. For the AuthName, choose a realm name. It will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource. This means anyone who can verify their identity with a password will be allowed in. If you want to allow only a specific user then write Require user dummy . More options can be found in apache documentation.

Testing apache configuration

Before restarting apache you can test the configuration changes done by typing:

sudo apache2ctl configtest

I would recommend you to do this short test after changing the configuration files. Once cleared, restart apache by doing:

sudo service apache2 restart

And then try to access the restricted zone of your web page. You should see a pop up like the following:

Apache authentication

5 thoughts on “Authenticating with password in Apache”

  1. Thanks for this. I am having a problem and I hope someone can help. I followed the directions accurately, but when I do the configtest, I get this:
    sudo apache2ctl configtest
    AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
    Syntax OK
    Also, when I try to access a web page in the restricted_directory, I do get the name/password request box, but when I enter the name/password I used with htpasswd, I get this error:

    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator at webmaster@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

    More information about this error may be available in the server error log.

    Apache/2.4.38 (Raspbian) Server at 192.168.2.155 Port 80

    Help!!!?
    Thanks.

    • Hello Arnie,

      We would need to see the error log to guess what is going on. Can you paste it? Usually it is in /var/log/apache2/error.log or something similar.

      Regards,

      Dani

  2. Thanks. Just noticed your reply. Here is the error log:

    [Thu Aug 20 12:35:17.327261 2020] [mpm_event:notice] [pid 19556:tid 1995702800] AH00489: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 12:35:17.327736 2020] [core:notice] [pid 19556:tid 1995702800] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 12:35:27.685115 2020] [mpm_event:notice] [pid 19556:tid 1995702800] AH00491: caught SIGTERM, shutting down
    [Thu Aug 20 12:35:27.835446 2020] [mpm_prefork:notice] [pid 20492] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 12:35:27.835905 2020] [core:notice] [pid 20492] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 12:35:29.452954 2020] [mpm_prefork:notice] [pid 20492] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 12:35:29.891970 2020] [mpm_prefork:notice] [pid 20554] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 12:35:29.892168 2020] [core:notice] [pid 20554] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 12:46:08.308520 2020] [mpm_prefork:notice] [pid 20554] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 12:46:19.203184 2020] [mpm_prefork:notice] [pid 558] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 12:46:19.204744 2020] [core:notice] [pid 558] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 13:05:04.013062 2020] [mpm_prefork:notice] [pid 558] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 13:05:14.402241 2020] [mpm_prefork:notice] [pid 541] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 13:05:14.407050 2020] [core:notice] [pid 541] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 15:23:27.794232 2020] [mpm_prefork:notice] [pid 541] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 15:23:28.083587 2020] [mpm_prefork:notice] [pid 1783] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 15:23:28.083831 2020] [core:notice] [pid 1783] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 15:23:49.591248 2020] [authn_file:error] [pid 1788] (2)No such file or directory: [client 192.168.2.118:55996] AH01620: Could not open password file: /home/dummy/.htpasswd
    [Thu Aug 20 15:29:11.542181 2020] [mpm_prefork:notice] [pid 1783] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 15:29:11.837013 2020] [mpm_prefork:notice] [pid 1854] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 15:29:11.837298 2020] [core:notice] [pid 1854] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 15:29:22.012047 2020] [authn_file:error] [pid 1858] (2)No such file or directory: [client 192.168.2.118:56020] AH01620: Could not open password file: /home/dummy/.htpasswd
    [Thu Aug 20 15:29:35.775866 2020] [authn_file:error] [pid 1859] (2)No such file or directory: [client 192.168.2.118:56021] AH01620: Could not open password file: /home/dummy/.htpasswd
    [Thu Aug 20 15:29:49.430947 2020] [authn_file:error] [pid 1860] (2)No such file or directory: [client 192.168.2.118:56022] AH01620: Could not open password file: /home/dummy/.htpasswd
    [Thu Aug 20 15:31:46.433105 2020] [authn_file:error] [pid 1862] (2)No such file or directory: [client 192.168.2.118:56040] AH01620: Could not open password file: /home/dummy/.htpasswd
    [Thu Aug 20 15:47:50.992962 2020] [mpm_prefork:notice] [pid 1854] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 15:47:51.278952 2020] [mpm_prefork:notice] [pid 2007] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 15:47:51.279158 2020] [core:notice] [pid 2007] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 15:48:07.905062 2020] [authn_file:error] [pid 2012] (2)No such file or directory: [client 192.168.2.118:56317] AH01620: Could not open password file: /home/dummy/.htpasswd
    [Thu Aug 20 16:03:45.421597 2020] [mpm_prefork:notice] [pid 2007] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 16:03:45.706483 2020] [mpm_prefork:notice] [pid 2085] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 16:03:45.706698 2020] [core:notice] [pid 2085] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 17:02:43.618633 2020] [mpm_prefork:notice] [pid 2085] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 17:02:43.908031 2020] [mpm_prefork:notice] [pid 2300] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 17:02:43.908231 2020] [core:notice] [pid 2300] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 17:02:59.444481 2020] [auth_basic:error] [pid 2305] [client 192.168.2.118:64536] AH01618: user dummyt not found: /
    [Thu Aug 20 17:03:05.503098 2020] [auth_basic:error] [pid 2306] [client 192.168.2.118:64537] AH01617: user arniep: authentication failure for “/”: Password Mismatch
    [Thu Aug 20 17:05:17.903151 2020] [mpm_prefork:notice] [pid 2300] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 17:05:18.194120 2020] [mpm_prefork:notice] [pid 2372] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 17:05:18.194322 2020] [core:notice] [pid 2372] AH00094: Command line: ‘/usr/sbin/apache2’
    [Thu Aug 20 18:50:34.314318 2020] [mpm_prefork:notice] [pid 2372] AH00169: caught SIGTERM, shutting down
    [Thu Aug 20 18:50:44.374104 2020] [mpm_prefork:notice] [pid 540] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Thu Aug 20 18:50:44.378753 2020] [core:notice] [pid 540] AH00094: Command line: ‘/usr/sbin/apache2’
    [Fri Aug 21 12:59:46.156311 2020] [mpm_prefork:notice] [pid 540] AH00169: caught SIGTERM, shutting down
    [Fri Aug 21 12:59:46.444549 2020] [mpm_prefork:notice] [pid 5699] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Fri Aug 21 12:59:46.444789 2020] [core:notice] [pid 5699] AH00094: Command line: ‘/usr/sbin/apache2’
    [Fri Aug 21 13:47:47.018225 2020] [mpm_prefork:notice] [pid 5699] AH00169: caught SIGTERM, shutting down
    [Fri Aug 21 13:47:57.832598 2020] [mpm_prefork:notice] [pid 559] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Fri Aug 21 13:47:57.837556 2020] [core:notice] [pid 559] AH00094: Command line: ‘/usr/sbin/apache2’
    [Fri Aug 21 14:03:51.231755 2020] [mpm_prefork:notice] [pid 559] AH00169: caught SIGTERM, shutting down
    [Fri Aug 21 14:21:12.166626 2020] [mpm_prefork:notice] [pid 2764] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Fri Aug 21 14:21:12.166871 2020] [core:notice] [pid 2764] AH00094: Command line: ‘/usr/sbin/apache2’
    [Fri Aug 21 14:26:45.028223 2020] [php7:error] [pid 2820] [client 192.168.2.118:58666] PHP Parse error: syntax error, unexpected ‘” onclick=’change_pin (“‘ (T_CONSTANT_ENCAPSED_STRING) in /var/www/html/Web2/index4.php on line 25
    [Fri Aug 21 14:26:48.993302 2020] [php7:error] [pid 2821] [client 192.168.2.118:58667] PHP Parse error: syntax error, unexpected ‘” onclick=’change_pin (“‘ (T_CONSTANT_ENCAPSED_STRING) in /var/www/html/Web2/index4.php on line 25
    [Fri Aug 21 15:37:58.372872 2020] [mpm_prefork:notice] [pid 2764] AH00169: caught SIGTERM, shutting down
    [Fri Aug 21 15:38:09.185607 2020] [mpm_prefork:notice] [pid 552] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Fri Aug 21 15:38:09.188668 2020] [core:notice] [pid 552] AH00094: Command line: ‘/usr/sbin/apache2’
    [Fri Aug 21 17:42:35.487149 2020] [mpm_prefork:notice] [pid 552] AH00169: caught SIGTERM, shutting down
    [Fri Aug 21 17:42:46.367621 2020] [mpm_prefork:notice] [pid 544] AH00163: Apache/2.4.38 (Raspbian) configured — resuming normal operations
    [Fri Aug 21 17:42:46.372181 2020] [core:notice] [pid 544] AH00094: Command line: ‘/usr/sbin/apache2’
    [Sat Aug 22 00:00:52.784817 2020] [mpm_prefork:notice] [pid 544] AH00171: Graceful restart requested, doing restart
    AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message

    • Hi Arnie,

      There are a few errors that are not related with apache server (some PHP errors) but this line:
      No such file or directory: [client 192.168.2.118:56317] AH01620: Could not open password file: /home/dummy/.htpasswd

      Says that the file containing the passwords does not exists. Do you really have a “dummy” user? Or the .hpasswd file is in under the path: /home/YOUR_USER_NAME/.htpasswd

      Check this, change the path where the .htpaasswd file should be searched and try again.

      Dani

Leave a Comment