Debian Tutorials

Debian Tutorials

Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

September 2023


Password protecting a directory with Apache and .htaccess


The Apache web server can read .htaccess files located anywhere in your document root to perform different tasks and control settings without changing the configuration files. This may be useful where you don’t have access to change the configuration files or don’t want to mangle with the configuration files to perform easy tasks. In this tutorial we’re going to password protect a single directory on your web site.

First we’ll need to create a file containing users and passwords:

htpasswd -c /etc/apache2/.htpasswd user1
htpasswd /etc/apache2/.htpasswd user2

You can store the password file anywhere you like but I chose to store it where the Apache configuration files are located.

Now create a .htaccess file in the folder you wish to protect (pico /var/www/secret/.htaccess)

AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
AuthName "Enter password"
Require valid-user

Make sure Apache allows .htaccess to override settings. Add these lines into your virtual host configuration and change the directory to your document root (pico /etc/apache2/sites-enabled/000-default):

<Directory /var/www/>
AllowOverride All

The AllowOverride setting may already be in your virtual host configuration. Make sure it is set to All.

If you changed the AllowOverride setting, restart Apache:

/etc/init.d/apache2 restart

The directory should now be password protected.

If you are getting server errors, make sure the Apache user has permission to read both the .htaccess file and .htpasswd.

chmod 755 /var/www/secret/.htaccess
chmod 755 /etc/apache2/.htpasswd

Comments 3
  • John K
    Posted on

    John K John K


    thanks for the info. It worked perfectly.

  • bob
    Posted on

    bob bob


    Doesn’t work for me, I keep getting an internal server error after I put in my username and password

  • Vagelis
    Posted on

    Vagelis Vagelis


    Works for me too. I use it for a Drupal site. I appended the contents of the .htaccess file I have to create, to the .htaccess of the Drupal installation.