1. Home
  2. Scripting
  3. Apache
  4. Setting Up Password Authentication in Apache on Ubuntu 14.04

Setting Up Password Authentication in Apache on Ubuntu 14.04

Password Authentication with Apache on Ubuntu 14.04
Password Authentication with Apache on Ubuntu 14.04

Introduction

After you set up a website on a server, there will often be sections from the site of which you want to restrict access to.

Web applications will often provide their own authentication and authorization methods, though the web hosting server itself can be used to restrict access in case these are inadequate or unavailable.

In this tutorial we will teach you how to password protect your assets on an Apache web hosting server running on a Ubuntu 14.04.

Prerequisites

In order to start, you will require access to an Ubuntu 14.04 environment.

You should also have a non-root user with sudo privileges in order to perform administrative tasks.

Install the Apache Utilities Package

If you want to create the file to store the passwords which needed access to the restricted content, you have to use a utility called ‘htpasswd’. You can find this in the ‘apache2-utils’ package inside the Ubuntu repositories.

Update the local package cache and, afterwards, install the package by executing the below command. We will take the opportunity to also grab the Apache2 server if it is not installed yet on the server.

 $ sudo apt-get update
 $ sudo apt-get install apache2 apache2-utils

Create the Password File

You will now have access to use the ‘htpasswd’ command. Now you can use it to create a password file that Apache will use to authenticate users. It will also create a hidden file for this purpose which is called ‘.htpasswd’ within your ‘/etc/apache2′ configuration directory.

Since this is your first time using this utility, you have to add the ‘-c’ option in order to create the specified file. You must specify a username (‘danny’ in our example) in the end of the command so it creates a new entry inside the file.

$ sudo htpasswd -c /etc/apache2/.htpasswd sammy

Now you will be asked to type and confirm a password for the user.

Leave out the ‘-c’ argument if there are any other users you might wish to add.

$ sudo htpasswd /etc/apache2/.htpasswd another_user

If you try viewing the contents of this file, you will be able to see the username and the encrypted password for each record.

$ cat /etc/apache2/.htpasswd
Output
 sammy:$apr1$lzxsIfXG$tmCvCfb49vpPFwKGVsuYz.
 another_user:$apr1$p1E9MeAf$kiAhneUwr.MhAE2kKGYHK.

Configuring Apache Password Authentication

Now since you have a file containing all of your users and passwords in a format that Apache is able to read, you have to configure Apache to check the file before you serve your protected content. You can do this in two different ways.

One of these options is to edit the Apache configuration and then add your password protection to the virtual host file.

This should give an overall better performance since it prevents the expense of reading distributed configuration files. We recommend this option if you have it.

If you are unable to modify the virtual host file, or if you are currently using ‘.htaccess’ files for different purposes, then you can restrict access with the use of an ‘.htaccess file’. Apache will use ‘.htaccess’ files to allow some configuration items to be set inside a file in a content folder. There are some disadvantages with Apache having to re-read the files on every request which will involve the directory and may impact performance.

Go for the option which best suits your needs.

Configuring Access Control within the Virtual Host Definition

Start with opening up the virtual host file that you would like to add a restriction to.

As an example, we are going to be using the ‘000-default.conf’ file; it will be the one that holds the default virtual host installed within Ubuntu’s Apache package.

sudo nano /etc/apache2/sites-enabled/000-default.conf

Inside, when the comments are stripped, the file will be close to looking like the below.

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Authentication will have to be done on a per-directory basis. If you would like to set up authentication, you will have to select the directory you want to restrict using a ‘<Directory__>’ block.

With our example, we are going to restrict the entire document root, though you can also edit this listening to specifically target only a directory inside the web space.

           /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

 <Directory "/var/www/html">
  </Directory>
</VirtualHost>

Inside this directory block, specify that you want to set up a Basic authentication. With the AuthName, you can select a realm name that will be displayed to the user when asked for credentials; make use of the AuthUserFile directive to point Apache to the password file you have made.

Now, you will have to use a valid-user in order to access this asset, this means whoever is able to verify their identity using a password will be permitted access.

/etc/apache2/sites-enabled/000-default.conf


<VirtualHost *:80>
 ServerAdmin webmaster@localhost
 DocumentRoot /var/www/html
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory "/var/www/html">
 AuthType Basic
 AuthName "Restricted Content"
 AuthUserFile /etc/apache2/.htpasswd
 Require valid-user
 </Directory>
</VirtualHost>

When finished, save and close the file. Then, restart the Apache in order to apply your password policy.

sudo service apache2 restart

The directory you have selected should now be password protected.

Configuring Access Control with .htaccess Files

If you would like to set up password protection with ‘.htaccess’ files, you can start by modifying the main Apache configuration file in order to permit ‘.htacces’ files.

sudo nano /etc/apache2/apache2.conf

Search the ‘<Directory>’ block for the ‘/var/www directory’ which holds the document root. Enable ‘.htaccess’ processing by changing the AllowOverride directive inside the block from ‘None’ to ‘All’.

/etc/apache2/apache2.conf
. . .

<Directory /var/www/>
 Options Indexes FollowSymLinks
 AllowOverride All
 Require all granted
</Directory>

. . .

Save and close the file once you are finished.

You will now have to add a ‘.htaccess’ file to the directory you would like to restrict.

In our example, we have to restrict the entire document root (the entire website) which should be based at ‘/var/www/html’, however you can put this file in every directory you want to restrict access to.

sudo nano /var/www/html/.htaccess

Inside this file, you can specify that you want to set up Basic authentication. For the AuthName, select a realm name that’s going to be displayed to the user when prompting for credentials.

Use the AuthUserFile directive and point Apache to the password you have created. Then, you will need a valid-user to access this asset, this means whoever is able to verify their identity using a password will have access.

/var/www/html/.htaccess


AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Save and close the file. Then, restart the web server in order to password protect all of the content in or below the directory with the ‘.htaccess’ file.

sudo service apache2 restart

Confirm the Password Authentication

If you would like to confirm that your content is indeed protected, you can try to access your restricted content in a web browser.

You will now be presented with a username and a password prompt, and after you enter the correct credentials, you should be allowed to access any content. However, if you enter the wrong credentials or hit ‘Cancel’, then the ‘Unauthorized’ error page will popup.

Conclusion

Now everything should be ready for you to set up basic authentication for your site. Please keep in mind that password protection is usually combined with SSL encryption and that means your credentials are not sent to the server in plain text.

 
Updated on June 24, 2018

Was this article helpful?

Related Articles

Add A Comment