Tutorials

Set up Basic Authentication in Apache Using .htaccess On CentOS 7

Table of Contents

Introduction

Apache is one of the most widely-used and popular web servers in the world. Configuring your websites with password authentication can prevent unauthorized users from accessing your website without the correct user ID and password.

This tutorial explains an easy way to password protect a web directory in Apache using .htaccess.

Requirements

  • A server running CentOS v. 7 with Apache installed
  • Static IP address or URL for your website

Configure Apache to allow .htaccess authentication

By default Apache does not allow the use of .htaccess files in CentOS 7. You will need to set up Apache to allow .htaccess based authentication.

You can do this by editing the Apache config file:

sudo nano /etc/httpd/conf/httpd.conf

Find the section that begins with <Directory "/var/www/html">. Change the line from AllowOverride none to AllowOverride AuthConfig

AllowOverride AuthConfig

Save and close the file.

Create a password file with htpasswd

The htpasswd command is used to create and update the files used to store usernames and password for basic authentication of Apache users. We will create a hidden file .htpasswd in the /etc/httpd/ configuration directory.

Let's begin by creating a .htpasswd file for user1.

sudo htpasswd -c /etc/httpd/.htpasswd user1

You will be asked to supply and confirm a password for user1.

Note: Only use -c the first time you create the file. Do not use -c when you add a user in the future.

Let's create another user named user2:

sudo htpasswd  /etc/httpd/.htpasswd user2

After creating user2, you can see the username and the encrypted password for each record:

sudo cat /etc/httpd/.htpasswd

The output will look something like this:

user1:$apr1$0r/2zNGG$jopiWY3DEJd2FvZxTnugJ/
user2:$apr1$07FYIyjx$7Zy1qcBd.B8cKqu0wN/MH1

Now, you need to allow the apache user to read the .htpasswd file.

sudo chown apache:apache /etc/httpd/.htpasswd
sudo chmod 0660 /etc/httpd/.htpasswd

Configure Apache password authentication

Now you need to create a .htaccess file in the web directory you wish to restrict.

For this example, we will create the .htaccess file in the /var/www/html/ directory to restrict the entire document root.

sudo nano /var/www/html/.htaccess

Add the following content:

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user

Save and close the file, then restart Apache to make these changes take effect.

sudo apachectl restart

Testing password authentication

After everything has been set up, it's time to test your Apache server.

From your desktop computer, try to access your restricted content in a web browser by visiting your URL or static IP address.

You will be prompted with a username and password to access the website.

Apache authentication page

If you enter the correct credentials, you will be allowed to access the content.

If you enter the wrong credentials or hit "Cancel" you will see the "Unauthorized" error page:

Apache authentication error

Conclusion

Your website is now secure with password authentication. Remember that password protection should be combined with SSL, so that your credentials are not sent to the server in plain text.

 
  • Good work. It helped to configure a http server on Centos 7. Thank you from Peru.

  • Perfect Article. Thanks very much for spending your time to share this with us. that was very useful for me. also i think that would be extra amazing if continue with form based authentication in apache using simple html page. Best wishes.

  • Good Article. But I am able to login even after giving the wrong password.

    E.g. my password: abcdefg123 but I could able to login with abcdefg, abcdefg1, abacdefg12345, abcdefg123fegdt etc.. like this. I am able to login with the password abcdef. I cleared history , cache, tried in other machine. still able to login with above said passwords. Can anyone look on this..

  • Good Article. But I am able to login even after giving the wrong password.

    E.g. my password: abcdefg123 but I could able to login with abcdefg, abcdefg1, abacdefg12345, abcdefg123fegdt etc.. like this. I am unable to login with the password abcdef. I cleared history , cache, tried in other machine. still able to login with above said passwords. Can anyone look on this..

  • right to the point. worked like a charm. Appreciate your effort.

Log In, Add a Comment