How to Set Up Basic HTTP Authentication in Apache

Basic HTTP authentication uses usernames and passwords to secure certain routes of your website. It’s commonly used to lock down admin panels and backend services, and—in conjunction with HTTPS—provides good security for web based resources.

How Does HTTP Authentication Work?

Basic HTTP authentication protects certain resources or routes with a username and password. When a user attempts to access that resource, their browser pops up a dialog asking for credentials before sending anything over. The admin panels of most home routers are secured in this way.

Behind the scenes, when a user attempts to access a protected resource, the server sends the user a WWW-Authenticate header along with a 401 Unauthorized response. The client sends back the appropriate username and password, stored in the Authorization header. The server checks the combination against a list of hashed passwords, and the client is allowed to connect if it matches.

Basic HTTP authentication requires sending passwords in plaintext, you need to have HTTPS/TLS set up on your server, or else you’ll be vulnerable to man-in-the-middle attacks. HTTPS will encrypt the connection and lock out anyone attempting to sniff your password. You can set up a free certificate with LetsEncrypt, or if you’re looking to secure a private server, create and sign one yourself.

Generate a Password File

For basic HTTP authentication to work, you will need a file to act as a database of usernames and their corresponding passwords. You can create this with the htpasswd utility, which should be installed with your Apache installation through the apache2-utils library. If it’s not installed, you can install it from your distro’s package manager; for Debian-based systems like Ubuntu, that would be:

sudo apt-get install apache2-utils

Next, you can generate the password file with the -c flag. This command creates a new password file and sets the password for the “admin” user:

sudo htpasswd -c /etc/apache2/.htpasswd admin

You’ll be prompted for a password, which will be hashed and stored in /etc/apache2/.htpasswd. If you want to add another user, leave out the -c flag to append an entry.

Alternatively, you can change Apache’s AuthBasicProvider option to allow for different methods of checking passwords, such as from databases. However, the default option of using htpasswd files works fine for most cases, especially with only a few users.

Configuring Apache

There are a few ways of configuring password authentication in Apache. You’ll still be adding the same config options, but Apache stores config files in a bunch of places and which one you’ll have to edit will depend on your configuration.

RELATED: How to Find Your Apache Configuration Folder

If you want to enable authentication for everything, you’ll want to edit the main config file:

/etc/apache2/apache2.conf

If you instead want to authenticate a specific folder, you’ll want to edit that folder’s config file in sites-enabled. For example, the default config is at:

/etc/apache2/sites-available/000-default.conf

though yours will likely be named based on the route. If you need to make a new one, you can copy this default config and change the DocumentRoot.

If you have managed hosting and don’t have access to the main config files, you’ll likely be modifying an .htaccess file, usually located at the root of your site’s folder. For example:

/var/www/html/.htaccess

In any case, you’ll want to open whatever file fits your use case, and add the following inside of a directory block. If you’re modifying an .htaccess file, the <Directory> block isn’t necessary, just the lines inside:

<Directory "/var/www/html">
  AuthType Basic
  AuthName "Restricted Content"
  AuthUserFile /etc/apache2/.htpasswd
  Require valid-user
</Directory>

The auth settings will apply to the entire directory, which you’d usually want to set to the entire document root, though you could apply it only to a specific folder by changing the path:

<Directory "/var/www/html/restricted">
</Directory>

This will set the authentication type and point Apache towards the password file. There’s no requirement to name it anything specific, so you can generate different password files for different directories.

Restart Apache to apply the changes:

sudo service apache2 restart

Check the protected route in your browser, and you should be stopped and asked for a password. If you can’t provide it, you’ll be given a 401 Unauthorized error and denied access.

Keep in mind that the passwords are still transmitted in plaintext, so you’ll want to enable HTTPS for Apache.