Configuring Apache webserver to restrict access to your website

April 06, 2005
Apache Webserver is the most popular web server and has a market share of around 60%. Here I will explain a small but very useful feature of the apache web server - which is restricting access to (a part of) your website to only the privileged few by implementing username and passwords.
There are two ways of restricting access to documents.
  1. Either by the hostname of the browser being used
  2. By asking a username and password
The first method can be used to, for example, restricting documents being used within a company. But if the people who are accessing documents are widely dispersed, then the second method is more suitable.
Here I will explain the second method - ie, assigning username and passwords to users who are authorized to access the documents. This is known as user authentication.
Setting up user authentication takes two steps :
  1. Create a file containing username and passwords - Apache webserver has a utility called htpasswd to create the file containing username and passwords. Here I am creating a file called 'users' in the /usr/local/etc/ directory.
Note: For security reasons, the above file should NOT be under the document root. It can be anywhere BUT the document root.
The first time you run the htpasswd utility, you run it using the -c flag as follows:
# htpasswd -c /usr/local/etc/users gopinath
The -c argument tells htpasswd to create a new users file. When you run the above command, you will be prompted to enter a password for the user gopinath, and confirm it by entering it again. Other users can be added to the existing file in the same way, except that the -c argument is not needed. The same command can also be used to modify the password of an existing user.
After adding a few users, the /usr/local/etc/users file might look like this :
The first field is the username and the second field is the encrypted password.
Now comes the Apache server's configuration part. Open the apache server's configuration file /etc/httpd/conf/httpd.conf (your configuration file will be in different location depending on the distribution you are using) and look for the line :
AllowOverride None 
And change it to
AllowOverride AuthConfig
If you want to protect the document root itself, create a file '.htaccess' in the top directory path and include the following lines to it:
#File: .htaccess
AuthName "Only Valid Access"
AuthType Basic
AuthUserFile /usr/local/etc/users
require valid-user
AuthName - directive specifies a realm name for this protection. Once a user has entered a valid username and password, any other resource within the same realm name can be accessed with the same username and password.
AuthType - directive tells the server what protocol is to be used for authentication. At the moment, 'Basic' is the only method available. However, a new method, 'Digest' is about to be standardized, and once browsers start to implement it, Digest authentication will provide more security than Basic authentication.
AuthUserFile - tells the server the location of the user file created by htpasswd utility. A similar directive, AuthGroupFile, can be used to tell the server the location of a group's file.

Lastly don't forget to restart the web server which rereads the changed configuration files :
# service httpd restart
From here on when you try to access your protected site or the directory via the web browser, you will be asked for authentication first. And only those users whose name has been entered in the file pointed to by the AuthUserFile directive will be allowed access to your site.


  • alex

    "Apache Webserver is the most popular webserver and is used by more than 80% of the servers."

    That's pretty surprising, I'd have expected IIS to have a bigger market share. Do you have a source?

  • Ravi

    I guess I stretched it a bit. When I wrote the article (April 2005), it was more like touching 70%. It is surprising that the market share of apache has actually decreased and at present it is just around 60% (58.6% to be exact). Source : [Netcraft]

    I have corrected the error. Thanks for pointing it out.

    But can I take comfort in the fact that you are also wide off the mark when you say that IIS had a bigger market share? ;-)

    At present it enjoys only 31% compared to apache's 58.7 ~ 60%.