How To Use HTTP Basic Authentication With Apache Using htpasswd On Ubuntu 20.04 LTS

How To Use HTTP Basic Authentication With Apache Using htpasswd On Ubuntu 20.04 LTS

It provides the steps required to password-protect or restrict access to a site or a specific section of the site using the htpasswd with Apache Web Server on Ubuntu 20.04 LTS.

June 14, 2020

Apache Web Server is among the popular web servers and widely-used to host static and PHP based websites. We can password protect either the complete site or specific sections of a site using the htpasswd utility with the Apache Web Server. This tutorial provides the steps to generate the username and password pairs using the htpasswd utility and store the password in the .htpasswd file. It also shows how to password protect or restrict access to the complete site or specific sections of the site by updating the virtual host or by adding and configuring the .htaccess file. All the examples provided in this tutorial are tested using the Apache 2.4 installed on Ubuntu 20.04 LTS. The steps should be the same for the other versions of Ubuntu and Linux systems.

Prerequisites

This tutorial assumes that you have already installed Ubuntu 20.04 LTS desktop or server version either for local or production usage. You can follow Install Ubuntu 20.04 LTS Desktop, Install Ubuntu 20.04 LTS On Windows Using VMware, and Spin Up Ubuntu 20.04 LTS Server On Amazon EC2 to install Ubuntu 20.04 LTS. It also assumes that you have either root privileges or a regular user with sudo privileges.

It also assumes that the Apache Web Server is already installed. You may follow How To Install Apache 2 On Ubuntu 20.04 LTSConfigure Virtual Host On Apache, and How To Install Let's Encrypt For Apache On Ubuntu.

In the case of production usage, it assumes that you have access to the remote server.

Generate Password

This section provides the steps to generate and store the password using the htpasswd utility. Use the below-mentioned commands to create and store the password using the htpasswd utility.

# Install Apache Utils
sudo apt install apache2-utils

# Create Password File
sudo htpasswd -c /<path to .htpasswd>/.htpasswd username

# Example 1
sudo htpasswd -c /etc/secure/.htpasswd nick

# Output
New password: <strong password>
Re-type new password: <strong password>
Adding password for user nick

This will generate the password and stores the username and password pair on a separate line in the .htpasswd file. We can add more users using the same file without the -c argument as shown below.

# Example 2
sudo htpasswd -c /etc/secure/.htpasswd roy

# Output
New password: <strong password>
Re-type new password: <strong password>
Adding password for user roy

We can also verify the htpasswd file as shown below.

# Echo File Content
cat /etc/secure/.htpasswd

# .htpasswd File Content
nick:1$pr1$C9tqmsDt$ztcUda2bK12BC1brVYtv00
joy:$apr1$TAgZlVu1$Vil6BFu75PsErb3tnxv12/

Configure Virtual Host

This section provides the configurations required to password protect the site by updating the virtual host. The virtual host of a site hosted by the Apache Web Server should have similar configurations as shown below.

<VirtualHost *:80>
ServerName myserver.com
ServerAlias www.myserver.com
ServerAdmin admin@myserver.com

DocumentRoot /var/www/myserver.com
<Directory /var/www/myserver.com>
Options -Indexes +FollowSymLinks
DirectoryIndex index.php
AllowOverride All
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

The above configuration does not block any resource of the site myserver.com. We can update the virtual host to completely password protect the site by implementing HTTP Basic Authentication as shown below.

<VirtualHost *:80>
ServerName myserver.com
ServerAlias www.myserver.com
ServerAdmin admin@myserver.com

DocumentRoot /var/www/myserver.com
<Directory /var/www/myserver.com>
Options -Indexes +FollowSymLinks
DirectoryIndex index.php
AllowOverride All

# Password Protect the site and restrict access
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/secure/.htpasswd
Require valid-user
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Below listed are the explanation and usage of each parameter.

  • AuthType - Basic - The HTTP Basic Authentication implements the password authentication using the password file specified by the AuthUserFile configuration.
  • AuthName - We can specify the title of the authentication dialog shown to the users accessing the password-protected site.
  • AuthUserFile - The htpasswd file having the username and password as shown in the previous section.
  • Require - valid-user - Only allow the users with a valid username and password.

Now restart the Apache Web Server and try to access the site.

# Restart Apache
sudo systemctl restart apache2

The auth dialog should be similar to Fig 1.

Basic Authentication - Apache - Auth Dialog

Fig 1

It will allow access to the site by providing the valid User Name and Password. In case of wrong username or password, after pressing the Cancel Button it shows the below-mentioned error as shown in Fig 2.

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Basic Authentication - Apache - Password Error

Fig 2

Configure Site

This section provides the options to password-protect and restricts access to either complete site or a part of the site. We can add the same rules as we added to the virtual host by creating the .htaccess file as shown below.

# Add .htaccess to the site root
sudo nano /var/www/myserver.com/.htaccess

# Content
# Password Protect the site and restrict access
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/secure/.htpasswd
Require valid-user

# Save and exit the editor

This will password protect and enable restricted access to the entire site. Also, there is no need to reload or restart the Apache Web Server by using the .htaccess file. Similarly, we can add the .htaccess to the sub-directory of the site and update it with the same configuration to password protect the sub-directory.

Summary

This tutorial provided the steps required to generate the password file using htpasswd and configure the virtual host to password-protect and restrict access to the whole website. It also showed how to password protect the site either completely or parts of it using the .htaccess file.

Write a Comment
Click the captcha image to get new code.
Discussion Forum by DISQUS