sites commonly protect sensitive data behind a login screen, which requires
users to enter valid credentials before permitting them access. This login
screen is part of a larger authentication application, usually written in a Web
scripting language like PHP
which interfaces with a database to verify user credentials and grant or deny
is only problem with this system. Writing such an authentication application
usually requires a fair amount of code, as well as development and deployment
time. If you’re a Webmaster or systems administrator without the time or
required programming skills, however, don’t panic—you can create a quick and
effective authentication system for your site in just a few minutes using
features built into the Apache
document outlines the process of protecting access to areas of a Web site using
Apache’s built-in HTTP
Step 1: Ensure that your version of Apache supports HTTP authentication
“stock” Apache build is configured to support HTTP authentication by
default. However, if you’re using a customized or stripped-down build, your
version of Apache may not include support for this feature. To check this, run
the server with the -l command-line option, which lists the compiled-in modules,
and ensure that the resulting list includes an entry for mod_authasshown
in Listing A.
shell> /usr/local/apache/bin/httpd -l
such an entry is not present, you will need to recompile your Apache server and
include support for this feature before proceeding to the next step.
Information on how to do this may be obtained from the Apache Web
You should also look in the
Apache configuration file, httpd.conf, and ensure that the directive AllowOverride All is
present in the
this is not present, you can add it.
Step 2: Create a user/password database
the command prompt, switch to a directory outside the Web server root and run
the htpasswd utility. This
utility, included as part of the Apache distribution in its bin/ directory, creates a password database
that can be used by the Web server to verify user credentials and thereby grant
access to sensitive data. Listing B
shows you how to use it:
shell> cd /usr/local/apache
shell> /usr/local/apache/bin/htpasswd -c users.dat john
New password: ******
Re-type new password: ******
Adding password for user john
a username and password when prompted to do so, and htpasswd will create a new password database
containing this information in encrypted form. Repeat this step as many times
as you need to, adding a new user every time. However, the -c option passed to htpasswd on the command line should only appear
the first time you run the command, as it is used to initialize a new password
file; omit it from all subsequent htpasswd calls.
Caution: Ensure that the password database created in this step is
stored outside the Web server document root. Doing this ensures that malicious
users cannot download it through a Web browser.
Step 3: Enable the Apache authentication system
the password database is initialized, switch to the directory you wish to
protect. In your favorite text editor, create a new text file containing the
directives shown in Listing C and save it as .htaccess:
AuthName “Protected Area”
directives tell Apache to protect the directory from casual access, and force
the client browser to authenticate itself before allowing access. The path
provided to the AuthUserFile directive must,
of course, reflect the path to the password database created in the previous
Step 4: Restart Apache for the new settings to take effect
the password database and .htaccess file are created, restart the Web server for the changes to
shell> /usr/local/apache/bin/apachectl restart
test the authentication system, browse to the directory you protected in Step
3. Your browser should pop up a dialog box asking for a user name and password.
Only if your input matches a user/password combination previously created in
Step 2 will you be granted access.
there you have it—a quick and dirty security system, requiring minimal
investment of time and code. Go on out there, and start securing your data!