Basic HTTP authentication uses usernames and passwords to secure certain routes of your website. It’s commonly used to lock down admin panels and backend services, and—in conjunction with HTTPS—provides good security for web based resources.
How Does HTTP Authentication Work?
Basic HTTP authentication protects certain resources or routes with a username and password. When a user attempts to access that resource, their browser pops up a dialog asking for credentials before sending anything over. The admin panels of most home routers are secured in this way.
Behind the scenes, when a user attempts to access a protected resource, the server sends the user a
WWW-Authenticate header along with a
401 Unauthorized response. The client sends back the appropriate username and password, stored in the
Authorization header. The server checks the combination against a list of hashed passwords, and the client is allowed to connect if it matches.
Basic HTTP authentication requires sending passwords in plaintext, you need to have HTTPS/TLS set up on your server, or else you’ll be vulnerable to man-in-the-middle attacks. HTTPS will encrypt the connection and lock out anyone attempting to sniff your password. You can set up a free certificate with LetsEncrypt, or if you’re looking to secure a private server, create and sign one yourself.
Generate a Password File
For basic HTTP authentication to work, you will need a file to act as a database of usernames and their corresponding passwords. You can create this with the
htpasswd utility, which should be installed with your Apache installation through the
apache2-utils library. If it’s not installed, you can install it from your distro’s package manager; for Debian-based systems like Ubuntu, that would be:
sudo apt-get install apache2-utils
Next, you can generate the password file with the
-c flag. This command creates a new password file and sets the password for the “admin” user:
sudo htpasswd -c /etc/apache2/.htpasswd admin
You’ll be prompted for a password, which will be hashed and stored in
/etc/apache2/.htpasswd. If you want to add another user, leave out the
-c flag to append an entry.
Alternatively, you can change Apache’s
AuthBasicProvider option to allow for different methods of checking passwords, such as from databases. However, the default option of using
htpasswd files works fine for most cases, especially with only a few users.
There are a few ways of configuring password authentication in Apache. You’ll still be adding the same config options, but Apache stores config files in a bunch of places and which one you’ll have to edit will depend on your configuration.
If you want to enable authentication for everything, you’ll want to edit the main config file:
If you instead want to authenticate a specific folder, you’ll want to edit that folder’s config file in
sites-enabled. For example, the default config is at:
though yours will likely be named based on the route. If you need to make a new one, you can copy this default config and change the
If you have managed hosting and don’t have access to the main config files, you’ll likely be modifying an
.htaccess file, usually located at the root of your site’s folder. For example:
In any case, you’ll want to open whatever file fits your use case, and add the following inside of a directory block. If you’re modifying an
.htaccess file, the
<Directory> block isn’t necessary, just the lines inside:
<Directory "/var/www/html"> AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require valid-user </Directory>
The auth settings will apply to the entire directory, which you’d usually want to set to the entire document root, though you could apply it only to a specific folder by changing the path:
<Directory "/var/www/html/restricted"> </Directory>
This will set the authentication type and point Apache towards the password file. There’s no requirement to name it anything specific, so you can generate different password files for different directories.
Restart Apache to apply the changes:
sudo service apache2 restart
Check the protected route in your browser, and you should be stopped and asked for a password. If you can’t provide it, you’ll be given a
401 Unauthorized error and denied access.
Keep in mind that the passwords are still transmitted in plaintext, so you’ll want to enable HTTPS for Apache.