May 2004

Apache Authentication

by Russell J.T. Dyer

Although most Web pages are designed for public use, there are situations when you need to protect certain Web pages and directories from the general public. For those situations, it's necessary to configure Apache to request authentication from the user or implement some other method to control user access. In this installment of my series on Apache, I will describe authentication and how to control user access.

There are only a few tasks that must be performed to restrict access to a Web directory. The first is to determine which directory and files are to be restricted and who will have access to them. For the users that you will permit access rights, you will need to set up a list of them along with their passwords. The second task will be to edit the Apache configuration file (httpd.conf) or a .htaccess file contained in the restricted directory. If you're not familiar with this configuration file, you may want to refer to a previous article that I wrote on Apache Basics.

Basic Password File

The most common way to manage users and their passwords is to use the htpasswd program that comes with Apache. With it, you can create a password file and add users and set their passwords. This file should be placed in a directory outside of the document root directory of your site (i.e., the argument of the DocumentRoot directive). Otherwise, an anonymous user might be able to download the user file and then decrypt the passwords at his leisure. So if your document root is /var/www/html, you might create a directory called /var/www/users in which to place your user authentication files.