Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Password protecting Apache web pages Apps
[Editor's note: I have added one key missing instruction about modifying apache.conf to the details; this is also discussed in the comments.]

"Guestwhat" wrote in with a question:
Could someone help me to enable a turn key on my web site in Mac OS X Beta? What I meant was when a user log go to my web site I want to have a username and password inorder for them to access.
One method of doing this is with .htaccess files. When your server goes to serve a page, it looks in the top directory for an .htaccess file, and then checks each sub-directory down to and including the directory that holds the requested page. So if you place an .htaccess file in the top directory of your server pages folders, you will protect all the files in your domain. Read on to see how I used this to protect my home site.

Let's assume that your username is foo, and that your web server files are in the default OS X location, /Library/WebServer/Documents. You need to do the following from within a terminal session. I'm going to use vi as the editor, but pick your personal favorite.
cd /Library/WebServer/Documents
vi .htaccess
Insert the following lines in the new file:
AuthUserFile /Users/foo/webstuff/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
<Limit GET>
require user username
Notice that the first line references a file outside the web server's structure. In this case, I used a folder called "webstuff" in foo's user directory. You could also add group restrictions, but in this case, I'm just protecting for users ("username" in the sample). Obviously, replace this with the real user name you'd like to use. You can also limit the users to actions other than GET, ie POST or PUT for cgi-bin files. Just add them (with a space between) to the "Limit GET" line.

Next, you need to create a password for username in the location you specified. The htpasswd program will do this for you:
htpasswd -c /Users/foo/webstuff/.htpasswd username
You will be prompted to enter the password twice.

New step added The last thing you need to do is to edit the "apache.conf" file. From a terminal session, using your favorite editor, edit:
You want to find the section that looks like this:
# This controls which options the .htaccess files in directories can
# override. Can also be "All", None or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
AllowOverride None
Change the last line to read
AllowOverride AuthConfig
(You can read the comments if you want a brief explanation of what this does). Save your changes, and restart your webserver. The easiest way to do this is in the terminal
apachectl restart
That should do it; after completing these steps, you will be required to enter your chosen username and password before opening any page on your site. You can use variations in certain subdirectories to further control access. For example, if you put the .htaccess file in a subdirectory named "vipstuff," then anyone could browse your site password-free, until they requested a page in the "vipstuff" directory.

Disclaimer: I am not a security expert by any stretch, and I don't claim to know just how secure this method is on a hacker-proof scale!
  • Currently 2.11 / 5
  You rated: 2 / 5 (9 votes cast)

Password protecting Apache web pages | 9 comments | Create New Account
Click here to return to the 'Password protecting Apache web pages' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
In addition to the above
Authored by: Anonymous on Dec 11, '00 09:39:07PM

I had to change the following line in apache.conf from "AllowOveride None" to "AllowOverride All" to get this to work. Now everything works as advertised.

# This controls which options the .htaccess files in directories can
# override. Can also be "All", None or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
AllowOverride All



[ Reply to This | # ]
In addition to the above
Authored by: robg on Dec 11, '00 10:02:27PM
Good catch; I forgot that key step. To be more secure, however, simply change it to
AuthConfig instead of all. This will only allow the .htaccess file to override
authorization information, and not any other Apache commands.

[ Reply to This | # ]
In addition to the above
Authored by: Anonymous on Jun 29, '01 01:37:06PM

What gives with htpasswd? I get the following error running "apachectl configtest" or trying to restart Apache.

Invalid command 'ANYUSERNAME:ntIug0YJJW0V6', perhaps mis-spelled or defined by a module not included in the server configuration.

Looks like OS X doesn't understand the tokens. I have tried all of the encryption methods and plaintext, nothing works.

[ Reply to This | # ]
Much Mahalo All
Authored by: Anonymous on Dec 14, '00 04:08:14AM

Thank you everyone for all your help. Big thanks to Rob for this site.

Guest What

[ Reply to This | # ]
What in the @#@*
Authored by: Anonymous on Jul 05, '01 01:19:18PM

I set up the require .htpasswd file and appropriate .htaccess in the directory.

It works, yet I can't restart Apache due to a config error:

apachectl configtest

Processing config file: /private/etc/httpd/users/.htpasswd
Syntax error on line 1 of /private/etc/httpd/users/.htpasswd:
Invalid command 'username:AYDJc8.vmUB2w', perhaps mis-spelled or defined by a module not included in the server configuration

It doesn't matter which option I use:

-m Force MD5 encryption of the password.
-d Force CRYPT encryption of the password (default).
-p Do not encrypt the password (plaintext).
-s Force SHA encryption of the password.

Apache will not restart unless .htpasswd is empty and with that nothing gets in.

Any ideas?

Running Apache 1.3.20
PHP 4.*

Note that my version of Apache is not in the standard Apple locations, but follows BSD tree.

The module is there (mod_auth & the .so) and not commented out in httpd.conf

[ Reply to This | # ]
In addition: What in the @#@*
Authored by: Anonymous on Jul 05, '01 04:55:22PM

I notice that .htaccess works but Apache will not restart if any entries exist in this file. If I remove U:P from the .htaccess file Apache will restart I have to place them back in their my hand. This really sucks.

[ Reply to This | # ]
moved configuration file: apache.conf
Authored by: mzajac on Aug 26, '01 04:46:35PM

In MacOS X 10.0.4, the built-in Apache server keeps the configuration file at /etc/httpd/httpd.conf, instead of /Library/WebServer/Configuration/apache.conf.

[ Reply to This | # ]
Case sensitive?
Authored by: yokemay on Sep 23, '02 02:57:06AM

Dear all,

I've tried the method and found a flaw on it. The protected folder is 'intranet' but when i enter 'INTRANET' on the browser, I can by-pass the login dialog box.

what can be done to resolve this matter? pls advise.

thanks in advance.


[ Reply to This | # ]
Password protecting Apache web pages
Authored by: jordan314 on Feb 27, '12 01:32:40AM

This still works in Lion but the apache config file is now at /etc/apache2/httpd.conf.
It took me a second to realize you should replace username in "require user username" with the username you created.

[ Reply to This | # ]