Basic HTTP authentication uses usernames and passwords to secure certain routes on your site. It is commonly used to lock admin panels and backend services, and – in conjunction with HTTPS – provides good security for web-based resources.
How does HTTP authentication work?
Basic HTTP authentication protects certain resources or routes with a username and password. When a user tries to access that resource, the browser displays a dialog box asking for references before sending anything. The administrator panels for most home routers are secured in this way.
Behind the scenes, when a user tries to access a protected resource, the server sends the user a
WWW-Authenticate heading along with a
401 Unauthorized response. The client returns the username and password, stored in
Authorization heading. The server checks the combination against a list of hashed passwords and the client can connect if it matches.
Basic HTTP authentication requires that you send passwords in clear text, you must have HTTPS / TLS configured on your server, otherwise you will be vulnerable to attacks between men and in the middle. HTTPS will encrypt the connection and lock out anyone who tries to sniff your password. You can set up a free certificate with LetsEncrypt, or if you want to secure a private server, create and sign one yourself.
Generate a password file
For basic HTTP authentication to work, you need a file to act as a database with a username and the corresponding password. You can create this with
htpasswd to be installed with your Apache installation by
apache2-utils library. If it is not installed, you can install it from your distros package manager; for Debian based systems like Ubuntu it would be:
sudo apt-get install apache2-utils
Then you can create the password file with
-c flag. This command creates a new password file and enters the password for the “admin” user:
sudo htpasswd -c /etc/apache2/.htpasswd admin
You will be asked for a password that will be hashed and stored in
/etc/apache2/.htpasswd. If you want to add another user, leave
-c flag to add an entry.
Alternatively, you can change Apaches
AuthBasicProvider options to enable different methods for checking passwords, for example from databases. But the default option to use
htpasswd files work well for most cases, especially with only a few users.
There are several ways to configure password authentication in Apache. You will still add the same configuration options, but Apache stores configuration files in a lot of places and which one you need to edit depends on your configuration.
To enable authentication for everything, you want to edit the main configuration file:
If you want to authenticate a specific folder instead, you want to edit that folder’s configuration file in
sites-enabled. For example, the default configuration is:
but yours will probably be named based on the route. If you need to create a new one, you can copy this default configuration and change
If you have managed web hosting and do not have access to the most important configuration files, you are likely to change a
.htaccess file, usually located at the root of your website directory. For example:
In any case, you want to open which file suits your use case and add the following inside a directory block. If you change one
blocks are not necessary, only the rows inside:
AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require valid-user
The authorization settings will apply to the entire directory, which you normally want to set to the entire document root, but you can only apply it to a specific folder by changing the path:
This sets the authentication type and points Apache to the password file. There is no requirement to name it anything specific, so you can generate different password files for different directories.
Restart Apache to apply the changes:
sudo service apache2 restart
Check the protected route in your browser, then you should stop and ask for a password. If you can not provide it, you get one
401 Unauthorized error and denied access.
Remember that passwords are still transmitted in plain text, so you want to enable HTTPS for Apache.