Apache Guide: Apache Authentication, Part 1
Authentication is any process by which you verify that someone is who they claim they are. Authorization is any process by which someone is allowed to be where they want to go, or to have information that they want to have.Authentication is any process by which you verify that someone is who they claim they are. In this article, Rich Bowen introduces some basic methods of authenticating users under Apache.
If you have information on your Web site that is sensitive or intended for only a small group of people, the techniques in this article will help you make sure that the people that see those pages are the people that you wanted to see them.
This is the first in a two-part series. In this article, I'm going to cover the standard way of protecting parts of your Web site that most of you are going to use. In the next part I'll talk about using databases, rather than text files, to contain your user and group information. Somewhere in here I'll talk about using things other than usernames and passwords to protect your web site from "intruders"--such as the IP address of the visitor.
Everything from here on assumes that your web server permits
.htaccess files. This is something that your server administrator
(assuming that's not you) should easily be able to tell you and set up for you.
The relevant directive is the
And you'll need to know a little bit about the directory structure of your server, in order to know where some files are kept. This should not be terribly difficult, and I'll try to make this clear when we come to that point.
Here's the basics of password protecting a directory on your server.
You'll need to create a password file. This file should be placed somewhere
outside of your document directory. This is so that folks cannot download the
password file. For example, if your documents are served out of
/usr/local/apache/htdocs you might want to put the password
To create the file, use the
htpasswd utility that came with
Apache. This is located in the
bin directory of wherever you
installed Apache. To create the file, type:
htpasswd -c /usr/local/apache/passwd/password rbowen
htpasswdwill ask you for the password and then ask you to type it again to confirm it:# htpasswd -c /usr/local/apache/passwd/passwords rbowen New password: mypassword Re-type new password: mypassword Adding password for user rbowen
htpasswdis not in your path, of course you'll have to type the full path to the file to get it to run. On my server, it's located at
Next, you'll need to create a file in the directory you want to protect. This file is usually called
.htaccess, although on Windows it's called
htaccess(without the leading period).
.htaccessneeds to contain the following lines:AuthType Basic AuthName "By Invitation Only" AuthUserFile /usr/local/apache/passwd/passwords AuthGroupFile /dev/null require user rbowen
The next time that you load a file from that directory, you should see the familiar username/password dialog box pop up. If you don't chances are pretty good that you are not permitted to use
.htaccessfiles in the directory in question.