Apache authentication

Authenticating with password in Apache

Introduction

You will probably want to protect certain parts of your domestic web page. This means restricting access only for certain visitors. You can develop the authentication method in the web page. However the server itself can also be used to restrict access. In this tutorial I will show you how to protect with password assets on an apache web server running on Raspbian Stretch.

Creating a password file

Before starting, if you are going to send passwords through internet I will strongly recommend to follow this post and force traffic encryption. Otherwise your username and password will travel as plain text thought internet.

In order to create the file containing the usernames and passwords you will need htpasswd. This util is included in apache2-utils package. If you haven’t already installed it, just do:

To create a new password file for user dummy type:

This command will place a hidden file in the home directory of the dummy user. It will ask you to supply and confirm a password for the user. If you want to add an additional user remove the -c parameter from the command:

If you open the file, you will the the usernames followed by the encrypted password.

Configuring Apache password authentification

Now you need to configure apache to check this file before serving the protected content. There are two ways to do this. An option is editing the virtual host file. Other option is creating an .htaccess file in the directories that need protection. I chose the first option myself. It offers better performance as it avoids the expense of reading distributed configuration files.

First open your virtual host file, usually located in /etc/apache2/sites-enabled/. If you are using only HTTPS, then include your modification in default-ssl.conf. Otherwise the default virtual host file is named 000-default.conf. Open the file with your favourite text editor. Just type the following lines:

Authentication is done on a per-directory basis. So if you want to restrict to different directories, you will have to create a new Directory block. Within each directory block, specify that we wish to set up Basic authentication. For the AuthName, choose a realm name. It will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource. This means anyone who can verify their identity with a password will be allowed in. If you want to allow only a specific user then write Require user dummy . More options can be found in apache documentation.

Testing apache configuration

Before restarting apache you can test the configuration changes done by typing:

I would recommend you to do this short test after changing the configuration files. Once cleared, restart apache by doing:

And then try to access the restricted zone of your web page. You should see a pop up like the following:

Apache authentication

1 thought on “Authenticating with password in Apache

Leave a Comment