RHEL6 – Using htpasswd to Create a Secure Apache Directory

Bank-vaultThe process of setting up a simple password protected web directory on an Apache server is rather easy. The simplest way to accomplish this task is to use flat-file user authentication. Disclaimer, I am not claiming that the directions below are the most complete, or the most secure. However they work and are probably the most simple.

The first thing that you need to do is to create a "secret" directory. In this instance my web root is /var/www2/html, so I will create my secure directory under that tree.

#mkdir /var/www2/html/secret

Now lets create an index.html inside our secret directory for the purpose of testing.

#echo "Secret Directory Working" > /var/www2/html/secret/index.html

This way we have something to look at when we actually are able to get this working correctly.

Now using the htpasswd command we need to create an htpasswd file and add a user that will have access to our top secret directory. Note that you should not create this file inside your web-root.

#htpasswd -c /etc/httpd/.htpasswd fatmin

In the example above the "-c" option creates our htpasswd file, fatmin is the user that we want to grant access to. You will be prompted for a password.

Now add the following stanza to your httpd.conf. Note that AuthName is the text that will display when the user is prompted for a password. AuthUserFile is the location of the password file. Basic is pretty much the only auth method that anyone uses.

<Directory /var/www2/html/secret>
AuthName "Secret Directory"
AuthType basic
AuthUserFile /etc/httpd/.htpasswd
Require valid-user

Now restart apache, and when you navigate to http://www.mysite.com/secret you should be prompted for a userid and password.