Basic HTTP authentication uses usernames and passwords to secure certain routes of your website. It’s commonly used to lock down admin panels and backend services, and—in conjunction with HTTPS—provides good security for web based resources.
How Does HTTP Authentication Work?
Basic HTTP authentication protects certain resources or routes with a username and password. When a user attempts to access that resource, their browser pops up a dialog asking for credentials before sending anything over. The admin panels of most home routers are secured in this way.
Behind the scenes, when a user attempts to access a protected resource, the server sends the user a WWW-Authenticate
header along with a 401 Unauthorized response
. The client sends back the appropriate username and password, stored in the Authorization
header. The server checks the combination against a list of hashed passwords, and the client is allowed to connect if it matches.
Basic HTTP authentication requires sending passwords in plaintext, you need to have HTTPS/TLS set up on your server, or else you’ll be vulnerable to man-in-the-middle attacks. HTTPS will encrypt the connection and lock out anyone attempting to sniff your password. You can set up a free certificate with LetsEncrypt, or if you’re looking to secure a private server, create and sign one yourself.
Generate a Password File
For basic HTTP authentication to work, you will need a file to act as a database of usernames and their corresponding passwords. You can create this with the htpasswd
utility, which should be installed with your Apache installation through the apache2-utils
library. If it’s not installed, you can install it from your distro’s package manager; for Debian-based systems like Ubuntu, that would be:
sudo apt-get install apache2-utils
Next, you can generate the password file with the -c
flag. This command creates a new password file and sets the password for the “admin” user:
sudo htpasswd -c /etc/apache2/.htpasswd admin
You’ll be prompted for a password, which will be hashed and stored in /etc/apache2/.htpasswd
. If you want to add another user, leave out the -c
flag to append an entry.
Alternatively, you can change Apache’s AuthBasicProvider
option to allow for different methods of checking passwords, such as from databases. However, the default option of using htpasswd
files works fine for most cases, especially with only a few users.
Configuring Apache
There are a few ways of configuring password authentication in Apache. You’ll still be adding the same config options, but Apache stores config files in a bunch of places and which one you’ll have to edit will depend on your configuration.
RELATED: How to Find Your Apache Configuration Folder
If you want to enable authentication for everything, you’ll want to edit the main config file:
/etc/apache2/apache2.conf
If you instead want to authenticate a specific folder, you’ll want to edit that folder’s config file in sites-enabled
. For example, the default config is at:
/etc/apache2/sites-available/000-default.conf
though yours will likely be named based on the route. If you need to make a new one, you can copy this default config and change the DocumentRoot
.
If you have managed hosting and don’t have access to the main config files, you’ll likely be modifying an .htaccess
file, usually located at the root of your site’s folder. For example:
/var/www/html/.htaccess
In any case, you’ll want to open whatever file fits your use case, and add the following inside of a directory block. If you’re modifying an .htaccess
file, the <Directory>
block isn’t necessary, just the lines inside:
<Directory "/var/www/html"> AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require valid-user </Directory>
The auth settings will apply to the entire directory, which you’d usually want to set to the entire document root, though you could apply it only to a specific folder by changing the path:
<Directory "/var/www/html/restricted"> </Directory>
This will set the authentication type and point Apache towards the password file. There’s no requirement to name it anything specific, so you can generate different password files for different directories.
Restart Apache to apply the changes:
sudo service apache2 restart
Check the protected route in your browser, and you should be stopped and asked for a password. If you can’t provide it, you’ll be given a 401 Unauthorized
error and denied access.
Keep in mind that the passwords are still transmitted in plaintext, so you’ll want to enable HTTPS for Apache.
- › How Much Does It Cost to Operate an Electric Lawn Mower?
- › Picsart Gold Review: A True Treasure for Quick Photo and Video Editing
- › Does Hibernating My PC Save More Energy Than Sleep?
- › Don’t Put Your TV Over Your Fireplace
- › What Are the Best Nintendo Switch Games in 2022?
- › What’s New in Windows 11’s 22H2 Update: Top 10 New Features