Apache HTTP Authentication

 With apache http authentication, you can password protect either part of or an entire website. Thus you can allow only a selected set of people to view parts of your website.

The configuration directives required for this can be put either in apche server configuration files ( /etc/httpd/conf/httpd.conf OR /etc/httpd/conf.d/*.conf ) under the directory directive or in a per directroy user access file (.htaccess). If you are using .htaccess file, your main configuration should have the following directive in it:

AllowOverride AuthConfig

First of alll, we need to create a password database file containing the username password pair. The password is encrypted by default using CRYPT encryption. This is a kind of irreversible encryption.

The command used to create password file is htpasswd which comes with apache package
[root@LinuxBox1 ~]#htpasswd -c /var/hosting/safeer/secrets/users.sec safeer
New password:
Re-type new password:
Adding password for user safeer

This command does 2 things. The '-c' option creates a new password file /var/hosting/safeer/secrets/users.sec if it does not exist or erases its contents if already exists. Then the user 'safeer' is added to the file.

[root@LinuxBox1 ~]#cat /var/hosting/safeer/secrets/users.sec
safeer:zgmIJyIiuD87U

To add a new user to the file
[root@LinuxBox1 ~]#htpasswd /var/hosting/safeer/secrets/users.sec rojar
New password:
Re-type new password:
Adding password for user rojar
[root@LinuxBox1 ~]#cat /var/hosting/safeer/secrets/users.sec
safeer:zgmIJyIiuD87U
rojar:NQ7DlFlAqSMBQ

To delere a user from the file
[root@LinuxBox1 ~]#htpasswd -D /var/hosting/safeer/secrets/users.sec safeer
Deleting password for user safeer

My document root is /var/hosting/safeer/www and I want to password protect a subdirectory /var/hosting/safeer/www/confidential.

If you are modifying the main configuration files, the entries whould go inside <Diretory /var/hosting/safeer/www/confidential></Directory> . If you are using .htaccess place that file in /var/hosting/safeer/www/confidential. If you are editing the main configuration files, dont forget to restart the service.

Now either in the main configuration files or .htaccess file add the following.

AuthType Basic
AuthName "Confidential Data"
AuthUserFile /var/hosting/safeer/secrets/users.sec
Require user rojar

AuthType : Type of authentication. Most common form is 'Basic'. Password is sent in cleartext. Another methode supported is 'Digest' and uses SHA or MD5 algorithms. This is very secure methode, but only recent versions of http clients support this type of authentication.

AuthName : Authentication Ream. This information will be displayed to client as part of the pop window that prompts for username and password. In addition the client will automatically use the same credentials if two or more restricted areas are sharing the same realm. Once entered his/her credentials, the user will not be prompted for username and passwrod repeatedly for different areas if they are using the same realm.

AuthUserFile : Location of the password file. The file should not be inside the document root.

Require : Specifies who have acces to the area (authorization). Here only the user rojar has the privilege to access this area.

If you want to allow more than one user to allow access to a particular area:

Require user safeer baiju nebu rojar ...
will allow all these users provided they all have corresponding entries in the 'AuthUserFile'

The easiest way is to allow all the users in the AuthUserFile:
Require valid-user


You can use groups to organise users for authorization. The directive:
AuthGroupFile /var/hosting/safeer/secrets/groups.sec
The group file can contain a number of group names and its members in the following format:
Groupname: user1 user2 user3 ....

Eg:
/var/hosting/safeer/secrets/groups.sec
Confidential: safeer rojar

Now modify the Require directive to include this group for authorization:
Require group Confidential

This will let users listed in Confidential group to access this area. Altogether the directives reauired are:
AuthType Basic
AuthName "Confidential Data"
AuthUserFile /var/hosting/safeer/secrets/users.sec
AuthGroupFile /var/hosting/safeer/secrets/groups.sec
Require group Confidential