If you’re running your Website with Apache, securing the site with a password is a simple process. I recently ran through the process on a Windows box (Majority of the shots below) however the steps are pretty much the same for Windows or Linux Apache sites.
Step 1: Configure your .htaccess file
All the work will be done using your .htaccess file. You can find this file at the root of most Apache Websites.
The screenshot was taken from a vanilla install of WordPress running on Windows 2003 Server:
The .htaccess file is checked by Apache before displaying web pages. Typically it’s used for ReWrites or ReDirects however you can also use it to leverage the built-in security features of Apache.
So, the first step is to add a few parameters to the file. Below is a sample .htaccess file. (TIP: I use notepad++ to edit most PHP and related file)
AuthUserFile c:apachesecurity.htpasswd AuthName "Please Enter User & PW" AuthType Basic require valid-user
AuthUserFile: APACHE needs the location of the User/Password file. Just enter the full path to your password database file as shown above. The example above is taken from my Windows box. If you’re running Linux, it would be something like: AuthUserFile /full/path/to/.htpasswd
AuthName: This field defines the Title and Text for the popup box which will be requesting the Username and PW. You can make this ANYTHING you want. Here’s an example on my test box:
AuthType: This field tells Apache what type of Authentication is being used. In almost all cases, “Basic” is just fine (and the most common).
Require valid-user: This last command lets Apache know WHO is allowed. By using “valid-user“, you are telling Apache ANYONE is allowed to authenticate if they have a valid username and password.
If you prefer to be more EXACT, you can specify a specific USER or USERS. This command would look like:
Require user mrgroove groovyguest
In this case, only the users mrgroove and groovyguest would be allowed to enter the page/directory you’re protecting (after providing the correct username and password of course). All other users (including valid ones) will be denied access. If you want to allow more users, just separate them with spaces.
So, now that we have all the config settings made, here’s what your finished .htaccess file should look like:
Screenshot is taken from a Windows 2003 Server box running WordPress:
Step 2: Create the .htpasswd file
Creating the .htpasswd file is a simple process. The file is nothing more than a text file containing a list of Users and their encrypted passwords. Each User string should be separated onto its line. Personally, I just use notepad++ or Windows Notepad to create the file.
Shot below is an example .htpasswd file with two users:
Although Apache doesn’t “require” you to encrypt the passwords, it’s a simple process for both Windows and Linux Systems.
Navigate to your Apache BIN folder (usually found at C:\Program Files\Apache Group\Apache2bin) and execute the htpasswd.exe tool to generate an MD5 encrypted Username/Password string. You can also use the tool to create the .htpasswd file for you (whatever works…). For all the details, just execute the help switch from the command line (htpasswd.exe /?).
In almost all cases, however, just execute the following command:
htpasswd -nb username password
Once the command is executed, the htpasswd.exe tool will output the User string with it’s encrypted the password.
Screenshot below is an example of executing the htpasswd.exe tool on Windows 2003 Server
Once you have the User String, copy it into your .htpasswd file.
Goto: http://railpix.railfan.net/pwdonly.html to create your User strings with encrypted passwords. Very simple process.
Step 3: Verify Apache is configured properly *optional
By default, Apache has the correct Modules enabled. That being said, it never hurts to be a little proactive plus it’s a quick “check”.
Open your Apache httpd.conf file and verify the AUTH module is enabled:
If you find the module isn’t enabled, just correct it as shown above. Don’t forget; you need to restart Apache for changes to your httpd.conf to take effect.
That should take care of it. All done.