You can password protect content in both the main and sub-directories of your DocumentRoot fairly easily. I know of cases where persons will allow normal access to their regular web pages, but require passwords for directories / pages that show MRTG or Webalizer data. In this example we'll show how to password protect the /var/www/html directory.
· Apache has a password utility called "htpasswd" which can create "username password" combinations independent of your system login password for web page access. You have to specify the location of the password file, and if it doesn't yet exist, you'll have to include a "-c" or "create" switch on the command line. I recommend placing the file in your /etc/httpd/conf directory, away from the DocumentRoot tree where web users could possibly view it. Here is an example for a first user named "peter" and a second named "paul":
[root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter
New password:
Re-type new password:
Adding password for user peter
[root@bigboy tmp]#
[root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul
New password:
Re-type new password:
Adding password for user paul
[root@bigboy tmp]#
· Make the .htpasswd file readable by all users.
[root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd
· Create a .htaccess file in the directory to which you want password control with the following entries. Remember this will password protect this directory and all its sub directories.
AuthUserFile /etc/httpd/conf/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user peter
· The AuthUserFile tells Apache to use the “.htpasswd” file
· The "require user" tells Apache that only user "peter" in the “.htpasswd” file should have access. If you wanted all “.htpasswd” users to have access then you'd replace this line with require valid-user
· "AuthType Basic" instructs Apache to accept basic unencrypted passwords from the remote users web browser.
· Set the correct file protections on your new .htaccess file in the directory /var/www/html.
[root@bigboy tmp]# chmod 644 /var/www/html/.htaccess
· Make sure your /etc/httpd/conf/http.conf file has an AllowOverride statement in a <Directory> directive for any directory in the tree above /var/www/html. In the example below, we want all directories below /var/www/ to require password authorization.
<Directory /var/www/html/*>
AllowOverride AuthConfig
</Directory>
· You must also ensure that you have a <VirtualHost> directive that defines access to /var/www/html or another directory higher up in the tree.
<VirtualHost *>
ServerName 97.158.253.26
DocumentRoot /var/www/html
</VirtualHost>
· Restart Apache. Try accessing the web site and you'll be prompted for a password.