Secure access to the website’s resources with .htaccess and .htpasswd files.

This is a very loose translation of this article by SloniuPL. Its actually an improvement as You don’t have to rely on a 3rd party website to generate password hashes plus there is no password length limit and the encryption used is not md5 but far more secure bcrypt.

Secure access to the website’s resources with .htaccess and .htpasswd files.

So… You have this subdomain on Your httpd (apache) server that You want to restrict access to? Awesome…

Use the .htaccess and .htpasswd files to demand authorization. How? Ok.

Lets say that the root of Your website is located in /var/www/html/ and in there You have this SuperSecret folder that You want to password protect.

Go into this folder:

cd /var/www/html/SuperSecret/

Create the .htaccess file:

mcedit .htaccess

Paste this as a content:

AuthName "Speak friend and enter:"
AuthType Basic
AuthUserFile /var/www/html/SuperSecret/.htpasswd
Require valid-user

F2 to save the file, F10 to close mcedit.

Now we will use the htpasswd utility to generate access credentials.

htpasswd comes with apache:

[root@icsserver andrzejl]# which htpasswd
[root@icsserver andrzejl]# pacman -Q –owns /sbin/htpasswd
/sbin/htpasswd is owned by apache 2.4.9-1

If You want to know more about it read man page or --help. I will just show You how to create login credentials just how I do it.

Lets say that You want to give access to this folder to:

User Name: Gandalf
Password: mellon

I would run this command because it will create the most secure password hash:

htpasswd -nb -B -C 31 Gandalf mellon

but.. FAIR WARNING: It will take forever and a day to generate that password hash – IF Your machine is not up to the task it may even freeze / crash (not just during the password hash generation but also during the browsing of the password protected resources!) – use lower value (think 3 times before going with something higher then 10!) for the -C switch. 5 is default, accepted values are between 4 and 31. The higher the value – the more time and cpu power is used to generate the password’s hash – the more secure it is. Let’s go with:

htpasswd -nb -B -C 10 Gandalf mellon

The result will look somewhat like this:

[root@icsserver SuperSecret]# htpasswd -nb -B -C 10 Gandalf mellon
[root@icsserver SuperSecret]#

Copy the line that the command spat out and run:

mcedit .htpasswd

Paste the Gandalf:$2y$15$q6v13VuSpKmmwJmjXRZiruxYZY5HJZr4u3zEupS5OI2uGrhkJSZ0q bit, F2 to save the file, F10 to close mcedit.

If You want more users to have access to this folder generate the password hashes for all of them using the same command we have used before and paste them in the .htpasswd file (every user in a separate line).


From now on if someone tries to join Your https://domain.loc/SuperSecret (or any subdirectory in the SuperSecret) they will see a password prompt.


AND if they will fail…


That’s all that they will see ;)…



P.S. Passwords like mellon are to short / simple – they should never be used – it was just an example / Lord of The Rings reference ;).


"Never meet Your heroes. Most of the time you'll only end up disappointed." White Polak Male Husband Employee Hetero Carnivorous Fugly Geek @$$hole with ADD Catholic “Some men just want to watch the world burn.”

Comments are closed.